Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
Cullen Jennings <fluffy@iii.ca> Thu, 17 May 2018 17:50 UTC
Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F1F812EB6A for <rtcweb@ietfa.amsl.com>; Thu, 17 May 2018 10:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEuBTR0YiKnM for <rtcweb@ietfa.amsl.com>; Thu, 17 May 2018 10:50:06 -0700 (PDT)
Received: from smtp65.ord1d.emailsrvr.com (smtp65.ord1d.emailsrvr.com [184.106.54.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDBCC12EB69 for <rtcweb@ietf.org>; Thu, 17 May 2018 10:50:06 -0700 (PDT)
Received: from smtp1.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp1.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id D1C5F404E6; Thu, 17 May 2018 13:50:05 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp1.relay.ord1d.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 7962D405C9; Thu, 17 May 2018 13:50:05 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.91] (S0106004268479ae3.cg.shawcable.net [70.77.44.153]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Thu, 17 May 2018 13:50:05 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_A0C42B86-258C-402A-A326-8D79C44C7EC0"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <D71B49BA.2F885%christer.holmberg@ericsson.com>
Date: Thu, 17 May 2018 11:50:04 -0600
Cc: RTCWeb IETF <rtcweb@ietf.org>
Message-Id: <C3E953BF-3C77-4ABF-B1C8-DD487D814293@iii.ca>
References: <D71B49BA.2F885%christer.holmberg@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/7TrQMwtLU5DhF9C0KprC-J2rwXc>
Subject: Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 17:50:10 -0000
> On May 11, 2018, at 4:20 AM, Christer Holmberg <christer.holmberg@ericsson.com> wrote: > > Hi, > > A few questions/comments on the SDP identity attribute. > > Q1: > ---- > > The draft says that, at minimum, the fingerprint needs to be bound to the identity. > > Does this mean that, in order to include an SDP identity attribute in an offer/answer, the offer/answer MUST also contain at least one SDP fingerprint attribute? Based on the text about generating the identity it seems like that, but it is not very clear in the SDP procedures. > > JSEP requires DTLS/SRTP which requires adding the fingerprint so I think this is already required. Also JSEP points out lack of fingerprint will cause negotiation failure. > Q2: > ---- > > Section 5.6.4.1 says: > "The "a=identity" attribute MUST include all > fingerprint values that are included in "a=fingerprint" lines." > > First, related to the generation of the assertion value, it is unclear how this is implemented. For example, is there a separate JSON object (section 5.6.4) provided to the IdP for each fingerprint? The text talks about “single” fingerprint in the object. Or, are all fingerprints included in the same JSON object? Yah, I think it would get a Identity token for each fingerprint via a Generate Assertion for each fingerprint. But I think that is largely WebRTC issue. > > Second, it is unclear what “attribute MUST include all fingerprint values” means. I assume that the attribute will only include a single attribute assertion value, but that the value will be generated by the IdP based on all fingerprint values? So if there were multiple fingerprint, the SDP would have multiple Identity lines. > > > Q3: > ---- > > In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it is a media-level attribute. AFAIR, media-level attributes cannot be included as session-level attributes. > I think fingerprint is valid as both session-level or media-level so I suspect this is fine. JSEP also says that if the certs are the same, then it can be session level but if different then must be media level. So I think this is covered in JSEP. > Regards, > > Christer > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] draft-ietf-rtcweb-security-arch: Questio… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Paul Kyzivat
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg