IETF Logo Mail Archive

Re: [rtcweb] JSEP fingerprint hash requirements

Martin Thomson <martin.thomson@gmail.com> Thu, 17 October 2013 18:54 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7914F21F9A10 for <rtcweb@ietfa.amsl.com>; Thu, 17 Oct 2013 11:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.245
X-Spam-Level:
X-Spam-Status: No, score=-2.245 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, J_CHICKENPOX_111=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id coe04wxlWueB for <rtcweb@ietfa.amsl.com>; Thu, 17 Oct 2013 11:54:27 -0700 (PDT)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 4065B11E8191 for <rtcweb@ietf.org>; Thu, 17 Oct 2013 11:54:24 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id t61so2736386wes.41 for <rtcweb@ietf.org>; Thu, 17 Oct 2013 11:54:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ujU82CkjcI7fCp6E+RD0WE9wBXk5I1sVEQ50DZQExHU=; b=uDVqzO85WdIMpVRTLdvxrJ8YhwD+AZalQAXBtjdw5pI9PuYzdHFONRBowYbFJJzZ+/ l+HoXYTY3XwfZB/bZ9Q9+QPCfUM4r4k2Z0+7KoTqFHmUcLdLiPkn302D1WVhD89y09V2 bC0IsfnrfKlhX4li1WdD/7oGeV3PjBcK3EKKprKchN2GwW9OVRbD/EjO9aHobMNddfQp b/j3M7413EqMGZYZrIjs657BCEcTWwKRMnY5TApmS/S42NeJFrBGtzOKZqXd55n/bpTr 5G4oznvzJHjVlUhAiVJQXvicA+SbQzBJyvnt7Cq+EnOqbX9w/Rn6ByRJaMjkmRq/v1pZ BZ0A==
MIME-Version: 1.0
X-Received: by 10.194.104.42 with SMTP id gb10mr8704339wjb.16.1382036063336; Thu, 17 Oct 2013 11:54:23 -0700 (PDT)
Received: by 10.227.202.194 with HTTP; Thu, 17 Oct 2013 11:54:23 -0700 (PDT)
In-Reply-To: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com>
Date: Thu, 17 Oct 2013 11:54:23 -0700
Message-ID: <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Kevin Dempsey <kevindempsey70@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 18:54:27 -0000

On 17 October 2013 01:37, Kevin Dempsey <kevindempsey70@gmail.com> wrote:
> 1) does the fingerprinh hash need to match the certificate

Yes.  Without that, you've got no binding between signaling and media
path, which is bad.

> 2) do webrtc compatible endpoints need to handle hashes 'weaker' than
> sha-256

No.  RFC 4572 is clear:
   A certificate fingerprint MUST be computed using the same one-way
   hash function as is used in the certificate's signature algorithm.

That means that you need to generate the certificate with a hash that
is strong enough.

> 3) are there any rules for handling multiple fingerprints?

RFC 4572 is silent on that, unless I missed something, which I
probably did.  The only plausible choice given the above statement
from 4572 is to suggest that multiple a=fingerprint values indicate
alternative certificates.

That should probably be written down, of course.

v2.23.0 | Report a Bug | By Email