Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
Paul Kyzivat <pkyzivat@alum.mit.edu> Sun, 20 May 2018 19:49 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB7012D80F for <rtcweb@ietfa.amsl.com>; Sun, 20 May 2018 12:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Kpapa6mkqxN for <rtcweb@ietfa.amsl.com>; Sun, 20 May 2018 12:49:18 -0700 (PDT)
Received: from alum-mailsec-scanner-4.mit.edu (alum-mailsec-scanner-4.mit.edu [18.7.68.15]) by ietfa.amsl.com (Postfix) with ESMTP id A03D812D93E for <rtcweb@ietf.org>; Sun, 20 May 2018 12:49:18 -0700 (PDT)
X-AuditID: 1207440f-e97ff7000000582b-99-5b01d13bfa66
Received: from outgoing-alum.mit.edu (OUTGOING-ALUM.MIT.EDU [18.7.68.33]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by alum-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id B1.26.22571.C31D10B5; Sun, 20 May 2018 15:49:16 -0400 (EDT)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.13.8/8.12.4) with ESMTP id w4KJnDX2009427 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <rtcweb@ietf.org>; Sun, 20 May 2018 15:49:15 -0400
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
References: <D71B49BA.2F885%christer.holmberg@ericsson.com> <C3E953BF-3C77-4ABF-B1C8-DD487D814293@iii.ca> <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se> <D72450E1.2FE33%christer.holmberg@ericsson.com> <7594FB04B1934943A5C02806D1A2204B72EF3DA9@ESESSMB109.ericsson.se>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <477e3870-00bc-19e2-21bb-563dd9c3df7a@alum.mit.edu>
Date: Sun, 20 May 2018 15:49:12 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72EF3DA9@ESESSMB109.ericsson.se>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixO6iqGtzkTHa4M1TY4u1/9rZHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV8fePa0G/WcWdr/+ZGxj3aHQxcnJICJhIrGqYx9rFyMUhJLCD SeJcxyk2kISQwHcmiebNmiC2sECMxNzZnawgtoiAusTlhxfYIRqWMkl0rZ7EDpJgE9CSmHPo PwuIzStgLzF3zwmwBhYBVYmm1Z1gNaICaRL3N09ihKgRlDg58wlQPQcHp4CfxJzvFSBhZgFb iTtzdzND2OISt57MZ4Kw5SWat85mnsDIPwtJ9ywkLbOQtMxC0rKAkWUVo1xiTmmubm5iZk5x arJucXJiXl5qka6JXm5miV5qSukmRkhI8u9g7Fovc4hRgINRiYf3RiFDtBBrYllxZe4hRkkO JiVRXi6r/1FCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiVlzFGC/GmJFZWpRblw6SkOViUxHlZ TfZGCQmkJ5akZqemFqQWwWRlODiUJHgPnAdqFCxKTU+tSMvMKUFIM3FwggznARr+FKSGt7gg Mbc4Mx0if4pRl2PK8/4eZiGWvPy8VClx3t8gRQIgRRmleXBzYKnkFaM40FvCvIoXgKp4gGkI btIroCVMQEs6DgF9x1tckoiQkmpgtIne9aPOVMHvYEyQb/rcua5bJy5pdVmzRltj5Yyvyh0P Qn1qzx9KZg3TdRc8vW9qnvOk4AerLm5nY7iz4OS9/bISPcEOWU5PPpp2LI9t33pM8EH5plcX GVguRd23UMi12lVoGZm0dV9hQ+oSD5Wcmp7Xbfti13MsV7DjmfKRbaOanTmTw6sQJZbijERD Leai4kQAts6RDAADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/7sxbH2_q0_niRyrxAmsmQVPAsRo>
Subject: Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 May 2018 19:49:21 -0000
Christer just made me aware of this discussion. I have a couple of
comments about definition of the attribute.
FIRST:
I find the extension mechanism to be atypical. Currently it is:
identity-attribute = "identity:" identity-assertion
[ SP identity-extension
*(";" [ SP ] identity-extension) ]
This sets the list of extensions off from the identity assertion with a
space while then separating them from one another by semicolons. This
seems to blend SDP and SIP syntax oddly. I would expect to go more fully
in one direction or the other. Either:
identity-attribute = "identity:" identity-assertion
*( SP identity-extension )
or
identity-attribute = "identity:" identity-assertion
*(";" identity-extension)
(May require tweaking extension-att-value.)
SECOND:
Form of SDP attribute definitions:
Historically there have been problems with the definitions of new SDP
attributes. Especially, the manner of defining the syntax was
inconsistent. RFC4566 gave insufficient guidance on how to do this.
draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided
more guidance on how to do this. Please do your definitions in that
style. For instance:
5.6.4.2 a=identity Attribute
The identity attribute is session level only. It contains an
identity assertion, encoded as a base-64 string [RFC4648].
Attribute Name: identity
Attribute Value: identity-value
Usage Level: session
Charset Dependent: No
Mux Category: ???
The Augmented BNF syntax [2] for the attribute is:
identity-value = identity-assertion
[ SP identity-extension
*(";" [ SP ] identity-extension) ]
; perhaps altered based on above discussion
[continue on with remainder of section.]
7. IANA Considerations
This document defines the SDP attribute,'identity'.
The details of the attribute are defined in Section 5.
For issues regarding this attribute contact Eric Rescorla
(ekr@rftm.com).
But it seems that current practice is moving away from identifying
individuals in the contact information, in favor of listing a wg mailing
list or the iesg mailing list.
Thanks,
Paul
On 5/18/18 3:46 PM, Christer Holmberg wrote:
> FYI,
>
> You may want to take a look at this. I wasn’t even aware that they are
> defining an SDP attribute in the security architecture document, and as
> far as I know there has been no request to e.g., the SDP security
> directorate to look at it.
>
> Regards,
>
> Christer
>
> *From:*rtcweb [mailto:rtcweb-bounces@ietf.org] *On Behalf Of *Christer
> Holmberg
> *Sent:* 18 May 2018 08:42
> *To:* Cullen Jennings <fluffy@iii.ca>
> *Cc:* RTCWeb IETF <rtcweb@ietf.org>
> *Subject:* Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on
> SDP identity attribute
>
> Resending, as it seems like my reply to Cullen yesterday got stucked
> somewhere on the Internet.
>
> Regards,
>
> Christer
>
> *From: *Christer Holmberg <christer.holmberg@ericsson.com
> <mailto:christer.holmberg@ericsson.com>>
> *Date: *Thursday 17 May 2018 at 21:03
> *To: *Cullen Jennings <fluffy@iii.ca <mailto:fluffy@iii.ca>>
> *Cc: *"rtcweb@ietf.org <mailto:rtcweb@ietf.org>" <rtcweb@ietf.org
> <mailto:rtcweb@ietf.org>>
> *Subject: *RE: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on
> SDP identity attribute
>
> Hi,
>
> A few questions/comments on the SDP identity attribute.
>
> Q1:
>
> ----
>
> The draft says that, at minimum, the fingerprint needs to be bound
> to the identity.
>
> Does this mean that, in order to include an SDP identity attribute
> in an offer/answer, the offer/answer MUST also contain at least one
> SDP fingerprint attribute? Based on the text about generating the
> identity it seems like that, but it is not very clear in the SDP
> procedures.
>
> JSEP requires DTLS/SRTP which requires adding the fingerprint so I think
> this is already required. Also JSEP points out lack of fingerprint will
> cause negotiation failure.
>
> This is not about JSEP, but the definition of the SDP identity
> attribute. As this attribute can (I assume) be used on the wire, it
> needs to defined as such.
>
> The USAGE of the attribute can then be scoped to WebRTC, JSEP, or whatever.
>
>
>
>
> Q2:
>
> ----
>
> Section 5.6.4.1 says:
>
> "The "a=identity" attribute MUST include all
>
> fingerprint values that are included in "a=fingerprint" lines."
>
> First, related to the generation of the assertion value, it is
> unclear how this is implemented. For example, is there a separate
> JSON object (section 5.6.4) provided to the IdP for each
> fingerprint? The text talks about “single” fingerprint in the
> object. Or, are all fingerprints included in the same JSON object?
>
> Yah, I think it would get a Identity token for each fingerprint via a
> Generate Assertion for each fingerprint. But I think that is largely
> WebRTC issue.
>
>
> While it may be an WebRTC issue how to use multiple fingerprints in
> general, it is an SDP issue how to encode the attribute.
>
> Second, it is unclear what “attribute MUST include all fingerprint
> values” means. I assume that the attribute will only include a
> single attribute assertion value, but that the value will be
> generated by the IdP based on all fingerprint values?
>
> So if there were multiple fingerprint, the SDP would have multiple
> Identity lines.
>
> In that case I don’t understand the statement in section 5.6.4.2, that says:
>
> “The semantics of multiple identity attributes are undefined.”
>
> Also, to me “attribute MUST include all fingerprint values” sounds like
> a single attribute with multiple fingerprint values.
>
>
> Q3:
>
> ----
>
> In the example in Section 5.6.4.1 the SDP fingerprint attribute is
> included as a session-level attribute. However, it is a media-level
> attribute. AFAIR, media-level attributes cannot be included as
> session-level attributes.
>
> I think fingerprint is valid as both session-level or media-level so I
> suspect this is fine. JSEP also says that if the certs are the same,
> then it can be session level but if different then must be media level.
> So I think this is covered in JSEP.
>
> JSEP does not define the attribute. If the attribute can be used both on
> session- and media-level it needs to be defined in such way in
> draft-ietf-rtcpweb-security-arch.
>
> Regards,
>
> Christer
>
- [rtcweb] draft-ietf-rtcweb-security-arch: Questio… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Paul Kyzivat
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg