IETF Logo Mail Archive

Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 24 May 2018 19:49 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2297212DA3F for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 12:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Msd7oaCA0pec for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 12:49:16 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D77128959 for <rtcweb@ietf.org>; Thu, 24 May 2018 12:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1527191354; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=QFKlunO/n887eFQ4uHrLHe7MyAmwxMtdwYlGJ3OI2MY=; b=IWXdNIJ1l8Vwk5F7JFFJtKqV6YZiyjEVVe5Bh1CGCN85jFw12wW9gWevwoPC2+1p 6+4zf8WWPwQWEbH9B8tI9q8hlf61lNhkXz6G+rPXbDXRuwTTddeVJv3TubEnMb5X eqzoqcg0ztCKfMeCT8Mct2rYS6ZNJ9QBpqnEYINJN+g=;
X-AuditID: c1b4fb30-549ff700000065fb-15-5b0717395687
Received: from ESESSHC019.ericsson.se (Unknown_Domain [153.88.183.75]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id E9.45.26107.937170B5; Thu, 24 May 2018 21:49:14 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.29]) by ESESSHC019.ericsson.se ([153.88.183.75]) with mapi id 14.03.0382.000; Thu, 24 May 2018 21:49:13 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Cullen Jennings <fluffy@iii.ca>
CC: RTCWeb IETF <rtcweb@ietf.org>
Thread-Topic: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
Thread-Index: AQHT6RGfenU2OZxm10q2tYkeSmM/qKQ0G04AgAAiMMCACt0nAIAAQWoA
Date: Thu, 24 May 2018 19:49:13 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B72F06FBD@ESESSMB109.ericsson.se>
References: <D71B49BA.2F885%christer.holmberg@ericsson.com> <C3E953BF-3C77-4ABF-B1C8-DD487D814293@iii.ca> <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se> <8335F3D9-3A20-4B8F-AB44-62E2E966BAAB@iii.ca>
In-Reply-To: <8335F3D9-3A20-4B8F-AB44-62E2E966BAAB@iii.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.170]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJLMWRmVeSWpSXmKPExsUyM2K7t66VOHu0Qdc8DosP638wWqz9187u wOSxZMlPJo/L5z8yBjBFcdmkpOZklqUW6dslcGW0/WhhKTinWXHx+m/GBsYjGl2MHBwSAiYS K36EdzFycQgJHGGUaNt6kgnCWcwocenNdUaQIjYBC4nuf9pdjJwcIgLKEud23GUGsZkFFCW+ LJ/PBmILC8RILN69lBmiJlbi/v5tULabxIrmB2A2i4CqxMyeBWA2r4CvxM2/zYwQu+4zSizv mcgOsotTwEpi2e8akBpGATGJ76fWMEHsEpe49WQ+mC0hICCxZM95ZghbVOLl43+sELaSxJlN z1lAxjALaEqs36UPc+aU7ofsEGsFJU7OfMIygVF0FpKpsxA6ZiHpmIWkYwEjyypG0eLU4qTc dCMjvdSizOTi4vw8vbzUkk2MwAg5uOW3wQ7Gl88dDzEKcDAq8fDm8LBHC7EmlhVX5h5ilOBg VhLh7f7FFi3Em5JYWZValB9fVJqTWnyIUZqDRUmc18Jvc5SQQHpiSWp2ampBahFMlomDU6qB MddQ0vjWOo/keLVHin2fxTbMPPTKpe2BU/Jfm6hLWgp2F9iiG/y+Sk6V3PdTmseBj/uiiuzk QIO92/dqdy0yXqIr87e5r+LsmuQ78zW8C39+lzHZYWyv/+XLUaG7Uuyc4nEnTsivfsCxZxd3 G8c76Xdvs57+mSmSLHs1kHXpyiUz/sU9ZxZepsRSnJFoqMVcVJwIAELHVrqMAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/G9gE-2ccBRLQPsEnLHB6R8Lbb20>
Subject: Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:49:18 -0000

Hi,

> You are right Christer, I was looking at this the wrong way of how it was used vs the defn. of Identity. 
> Let me answer the questions from only the point of view how the Identity header is defined by 
> draft-ietf-rtcweb-security-arch and not how the identity header is used in WebRTC in general. 
> 
>> Q1:
>> ----
>>  
>> The draft says that, at minimum, the fingerprint needs to be bound to the identity.
>>  
>> Does this mean that, in order to include an SDP identity attribute in an offer/answer, the offer/answer MUST 
>> also contain at least one SDP fingerprint attribute? Based on the text about generating the identity it seems 
>> like that, but it is not very clear in the SDP procedures.
>  
> It seems to me that the defn of an Identity header does not need it to be use for fingerprints at all. What goes in it the 
> assertion is pretty much determined by the IdP. Some future system that did not have fingerprints but used token binding 
> or blockchain style smart contracts could probably work just fine. It’s up to the IdP. 
>
> So I might be wrong but I would say that Identity header does not require a fingerprint to be in the SDP, but when Identity 
> is used in WebRTC, there will also be a fingerprint. 

But, the text says that, at a minimum, the fingerprint needs to be bound to the identity.

If that is not true, that statement needs to be removed/modified. If it does apply to WebRTC, it needs to be clear that it is a WebRTC requirement, not a generic attribute requirement.

---

>> Q2:
>> ----
>>  
>> Section 5.6.4.1 says:
>>    "The "a=identity" attribute MUST include all
>>    fingerprint values that are included in "a=fingerprint" lines."
>>  
>> First, related to the generation of the assertion value, it is unclear how this is implemented. For example, is 
>> there a separate JSON object (section 5.6.4) provided to the IdP for each fingerprint? The text talks about “single” 
>> fingerprint in the object. Or, are all fingerprints included in the same JSON object?
>  
> As you point out, all that is the Identity assertion definition defines is how to encode it and that’s base 64 of JSON 
> so that part is fine. Section 5.6.4.1 is about how it Identity is used in the contact of WebRTC. How the IdP does this is 
> pretty out of scope of IETF stuff but I think you raise a good point that this implies that in the WebRTC case, if there 

My question was whether each assertion will be in a separate JSON. But, when re-reading the draft I think I found the answer. The ABNF can contain multiple assertions, and there is text saying that each assertion is a JSON.

>> Second, it is unclear what “attribute MUST include all fingerprint values” means. I assume that the attribute will only 
>> include a single attribute assertion value, but that the value will be generated by the IdP based on all fingerprint values?

---

>> Q3: 
>> ----
>>  
>> In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it 
>> is a media-level attribute. AFAIR, media-level attributes cannot be included as session-level attributes.
>   
> Section 8 of RFC4572 that defines the fingerprint attribute says that it is both at session and media-level attribute. 
> (2nd para of https://tools.ietf.org/html/rfc4572#section-8 ) 

Yes, but this draft defines the Identity attribute :)

Just because the Identity attribute can be used together with the Fingerprint attribute it doesn't mean that it automatically inherits the properties of the Fingerprint attribute - especially since you earlier indicated that there may be cases where the fingerprint isn't even used for the assertion. The definition of the Identity attribute needs to state whether it can be used on session and/or media-level.

Regards,

Christer

v2.23.0 | Report a Bug | By Email