IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Martin Thomson <martin.thomson@gmail.com> Tue, 07 May 2013 17:53 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313CE21F93D6 for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 10:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_111=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0w8uIaNiSi3k for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 10:53:49 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 999C321F9385 for <rtcweb@ietf.org>; Tue, 7 May 2013 10:53:42 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id x53so835626wes.19 for <rtcweb@ietf.org>; Tue, 07 May 2013 10:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=keRtU8sjFfT4kk+33wdM67s7a5YK6MJXZRnJ6/lRv7c=; b=zhnBYr6z7L1xuP17lZO26cpghO88VZ6CjulDZeOnQDENjJQrfiKYJJD9zJLU7OYAGw KYkhn06wnnCgJWbFfGuhtcVtFert71t7UclKs0pP0htuTaB6HIsCHv5BJUJIVMHVE24K Xam96lGDvcJkiB7+1k6vq4gPacq3bpoQsTLm/UaRUMF1FXRD8YoFG4VaBZvbvl+FucgM Jagrs+6tjH8Tg2b+FKwu56C17XrGk5iR3NU1HJa78/8eDScZwTa0YJSO4PgICALpnGxF fQKYeBBXV3vJWLpQk5h322/WG9cYEh6NpMFhl9aZWygOfFaMN/q9z0MDrY0r9WcgnHJY hzbQ==
MIME-Version: 1.0
X-Received: by 10.194.78.204 with SMTP id d12mr5177323wjx.42.1367949221734; Tue, 07 May 2013 10:53:41 -0700 (PDT)
Received: by 10.194.33.102 with HTTP; Tue, 7 May 2013 10:53:41 -0700 (PDT)
In-Reply-To: <65B9872A-12D8-4CD3-85B6-DDCA13652D0C@cisco.com>
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <74300615-2293-4DCE-82A7-475F1A5A8256@gmail.com> <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com> <CALiegfnqW26gEMYNpjJyzu=Nd6z9wCjvZbuY1N2tYvbfQiHyPA@mail.gmail.com> <95219856-8365-4A7E-BD0B-4EECE8868498@phonefromhere.com> <517A820F.9050807@alvestrand.no> <22E6A779-1573-4EDE-82D6-B1A831CE4833@cisco.com> <F3005B7CDE1DA5498B794C655CE1641E088481@GENSJZMBX03.msg.int.genesyslab.com> <EA463351-7630-4F9C-ABDC-E79A77158B7D@phonefromhere.com> <F3005B7CDE1DA5498B794C655CE1641E089287@GENSJZMBX03.msg.int.genesyslab.com> <65B9872A-12D8-4CD3-85B6-DDCA13652D0C@cisco.com>
Date: Tue, 07 May 2013 10:53:41 -0700
Message-ID: <CABkgnnXZfu5W+tRbRRQYEY5RSszfuoV8sESWbWZwM92wTjT_iw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 17:53:50 -0000

On 7 May 2013 09:06, Dan Wing <dwing@cisco.com> wrote:
>
> On May 7, 2013, at 7:55 AM, Henry Lum <Henry.Lum@genesyslab.com> wrote:
>
>> Does the signalling and DTLS media stream need to use the same certificate or the certificates
>
> No, DTLS-SRTP does not require they have the same certificate.  It does require the certificate fingerprint be sent in call signaling (in the SDP a=fingerprint line), and that the certificate exchanged in DTLS match that fingerprint.  This binds the call signaling to the media.

That provides the "this is the call that I signaled" assertion.
Identity is provided separately.

As Tim points out, the certificate could be signed by a trusted CA and
contain identity information.  It might be the same identity as the
signaling channel, but it doesn't have to be the same private key.

Alternatively, identity could be provided by the generic IdP
mechanism.  Then the specific contents of the certificate are largely
irrelevant.

I wonder though.  Is there any point in discussing the advantages of
DTLS-SRTP on this thread?  We already agree that it is MUST implement.

Recording scenarios like this aren't especially interesting because
mostly they occur beyond the point at which peer identity
authentication occurs.  The gateway decrypts the media and sends it to
a recording point, or it just forwards it on with the necessary keys.
I doubt very much that the recording element would need to be
authenticated to the remote caller, unless recording is the only thing
you plan on doing.

v2.23.0 | Report a Bug | By Email