IETF Logo Mail Archive

Re: [rtcweb] Security Architecture: IdP for RTP and RTCP

Justin Uberti <juberti@google.com> Fri, 11 July 2014 16:03 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E971B2B14 for <rtcweb@ietfa.amsl.com>; Fri, 11 Jul 2014 09:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.829
X-Spam-Level:
X-Spam-Status: No, score=-0.829 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_111=0.6, J_CHICKENPOX_18=0.6, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id toaAUMcsDRZB for <rtcweb@ietfa.amsl.com>; Fri, 11 Jul 2014 09:03:48 -0700 (PDT)
Received: from mail-vc0-x22a.google.com (mail-vc0-x22a.google.com [IPv6:2607:f8b0:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0141D1A0659 for <rtcweb@ietf.org>; Fri, 11 Jul 2014 09:03:47 -0700 (PDT)
Received: by mail-vc0-f170.google.com with SMTP id hu12so1347286vcb.29 for <rtcweb@ietf.org>; Fri, 11 Jul 2014 09:03:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=BjQGbMZtytmmktpwxYxZixrTE6jJ9C8f4pSZb1M/ouc=; b=inUFnyCh4HBn0wj/g6+foQF48ofuiTgS+gYE/CgF3fa877Or06iJRH0qfO6DM+5Rpn jEqRypf3Lg3FLTf4FqfAoOnErBjbD5dNSQYkMfOUBetHO8USo0qiqfBT9AN//VM+norK pTTtiYp67G20Qg+9ah3KhnLR+57oj4te93ywhG3FvRSqX7Bbklszcv/WfHV/eNP5Xs0F s/aIh5UdvjXAP0MXM7x/QPtgmA3kcsNs8UJtI+wHTPAa25+sbl7wHSjUkt+KhRZHOs+r /vGRTH/Bf6Y5LJnkWx+v5HPRQT+/eiRUqeJVpIJHDi1oJlqoqQdYRpjc0q+gbFhsTViE djaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=BjQGbMZtytmmktpwxYxZixrTE6jJ9C8f4pSZb1M/ouc=; b=TTJgnuZG7EgQYr2Nwoa+MYxW+a5NozMuVLgrtpx1qKxstt8Oh9ipuZoqaTPycRa/xk rp/HXIJfNcWG8cr5J38hFT+YlHsg/F7lhUCCGQ4II/ylvie7smIOS4iuApV5EI01XRsz Qg11i9deC9E1hb5hZdyJE2rM9C7Brg1P+QbSozPDiD6ewfIuRCoTmRX8KuW3XWcL3y+8 hvs8E0dEbL7VGNHGPgi4tf7Hq2axGxJ88p1zlrqiQsVi/PNmBD4oSd1ND+ajuh6CXNqK Y6tAv3DP04RjDDLGRTu7v1DIuvCirCg2XAKbmFXVIvFteummvIEue/qn8ASRPOfRz98v v4vw==
X-Gm-Message-State: ALoCoQmHMO8mwM5m/ib7r8NC12DGKMpeNqCQqPD5zgtW2pkvh+CRK7c7qtOcCFhuLJXZWEx+3hkF
X-Received: by 10.52.121.112 with SMTP id lj16mr44320219vdb.29.1405094627124; Fri, 11 Jul 2014 09:03:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.27.8 with HTTP; Fri, 11 Jul 2014 09:03:27 -0700 (PDT)
In-Reply-To: <CABkgnnUEXCuOcG_p5BpZf8Wz2Y-Pq92XGpmEb5304-uTz9JNuA@mail.gmail.com>
References: <CAOW+2dsVZj56aVL5+79d6RSTZFLwjfWdm=rs7FPnvdWQZHAdfA@mail.gmail.com> <CABkgnnUEXCuOcG_p5BpZf8Wz2Y-Pq92XGpmEb5304-uTz9JNuA@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Fri, 11 Jul 2014 09:03:27 -0700
Message-ID: <CAOJ7v-0iDjSFuDY=c_1vXApRWo66pXe_Hra=SnhWRKca-xBCSA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e01184dc2204beb04fded16ec"
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/Kspzr505CtFYuO-nQJsSGslnMiw
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security Architecture: IdP for RTP and RTCP
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 16:03:50 -0000

On Tue, Jul 8, 2014 at 11:09 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 8 July 2014 10:54, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> > In the situation where RTP and RTCP are not multiplexed, distinct DTLS
> > transports and DTLS/SRTP key exchanges would occur for RTP and RTCP.
> >
> > In looking for guidance within the security architecture document, some
> > questions came to mind:
> >
> > a. Are the certificates used for RTP and RTCP DTLS Transports necessarily
> > the same on both the local and remote side? If they are supposed to be
> the
> > same, what happens if they aren't?
>
> The certificates can be different.  As you might recall, one of the
> issues that we discussed was the possibility of having different
> a=fingerprint attributes on different m-lines, as well as having
> alternative a=fingerprint lines on the same m-lines.
>
> The current draft handles this by covering multiple fingerprints by
> the identity assertion.
>

Different m= lines can have different fingerprints, but do we expect to
support multiple fingerprints with the same digest algorithm on the same m=
line, where the receiver then checks that the received certificate matches
one of the possible fingerprints?


> > b. Can different identities be asserted for the RTP and RTCP DTLS
> > Transports? Does this make sense in some circumstances? If so, when?
>
> a=identity is a session-level attribute and they should (MUST?) only
> be one.  So no.  And I can think of any case where this makes sense in
> much the same way that having unmultiplexed RTP/RTCP doesn't make
> sense any more (if it ever did).
>
> > The WebRTC 1.0 API Section 8.3 seems to indicate that this should always
> be
> > the case:
> >
> > "It is possible that different values for the "a=identity" attribute is
> > provided at a media level in SDP. A browser may either choose to treat
> this
> > as an error or ignore the attribute. If multiple different assertions are
> > validated, then they must produce identical identity values."
>
> This is out of date.  I've sent the editors a pull request to have that
> fixed.
>
> > However, I am wondering whether there can be legitimate cases where a
> > browser communicating with a gateway or SFU might encounter distinct
> > identities or certificates for RTP and RTCP.  For example, could an SFU
> > potentially terminate RTCP but not RTP, in which case the certificates
> and
> > asserted identities might be different between RTP and RTCP?
>
> I think that the way that we manage identity in a multi-party
> situation probably needs something different to that.  I don't see any
> particular value in terminating RTCP when you aren't also terminating
> RTP, the two are far too tightly coupled.  They shouldn't really have
> been given different names in the first place.
>
> > The WebRTC 1.0 spec seems to indicate that this should be treated as a
> fatal
> > error, but I'm wondering whether the browser shouldn't be "strict in
> what it
> > sends but liberal in handling what it receives" by just using the
> identity
> > and certificates for RTP, and ignoring the RTCP identities.  Trying to
> > inform the user about different asserted identities for RTP and RTCP
> seems
> > way too complicated to even be worth considering.
>
> BTW, I wish that "liberal in what you permit" meme would go away.  I
> haven't found it to be particularly useful, except as a fatalistic
> acknowledgement of the messy end state that is the Internet.
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email