IETF Logo Mail Archive

Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute

Cullen Jennings <fluffy@iii.ca> Thu, 24 May 2018 17:46 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A33312EAE6 for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 10:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5dubOQIbU9r for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 10:46:38 -0700 (PDT)
Received: from smtp73.iad3b.emailsrvr.com (smtp73.iad3b.emailsrvr.com [146.20.161.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010F412EAD6 for <rtcweb@ietf.org>; Thu, 24 May 2018 10:46:38 -0700 (PDT)
Received: from smtp10.relay.iad3b.emailsrvr.com (localhost [127.0.0.1]) by smtp10.relay.iad3b.emailsrvr.com (SMTP Server) with ESMTP id 038BEE006D; Thu, 24 May 2018 13:46:37 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp10.relay.iad3b.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 9CEE2E0068; Thu, 24 May 2018 13:46:36 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.91] (S0106004268479ae3.cg.shawcable.net [70.77.44.153]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Thu, 24 May 2018 13:46:36 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se>
Date: Thu, 24 May 2018 11:46:34 -0600
Cc: RTCWeb IETF <rtcweb@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8335F3D9-3A20-4B8F-AB44-62E2E966BAAB@iii.ca>
References: <D71B49BA.2F885%christer.holmberg@ericsson.com> <C3E953BF-3C77-4ABF-B1C8-DD487D814293@iii.ca> <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/VLqcfUk4goI3OVJrZDoGSLsoxUo>
Subject: Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 17:46:41 -0000

You are right Christer, I was looking at this the wrong way of how it was used vs the defn. of Identity. Let me answer the questions from only the point of view how the Identity header is defined by draft-ietf-rtcweb-security-arch and not how the identity header is used in WebRTC in general. 


> On May 17, 2018, at 12:03 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
>  
> Hi,
>  
> A few questions/comments on the SDP identity attribute.
>  
> Q1:
> ----
>  
> The draft says that, at minimum, the fingerprint needs to be bound to the identity.
>  
> Does this mean that, in order to include an SDP identity attribute in an offer/answer, the offer/answer MUST also contain at least one SDP fingerprint attribute? Based on the text about generating the identity it seems like that, but it is not very clear in the SDP procedures.
>  
>  

It seems to me that the defn of an Identity header does not need it to be use for fingerprints at all. What goes in it the assertion is pretty much determined by the IdP. Some future system that did not have fingerprints but used token binding or blockchain style smart contracts could probably work just fine. It’s up to the IdP. 

So I might be wrong but I would say that Identity header does not require a fingerprint to be in the SDP, but when Identity is used in WebRTC, there will also be a fingerprint. 

> 
> Q2:
> ----
>  
> Section 5.6.4.1 says:
>    "The "a=identity" attribute MUST include all
>    fingerprint values that are included in "a=fingerprint" lines."
>  
> First, related to the generation of the assertion value, it is unclear how this is implemented. For example, is there a separate JSON object (section 5.6.4) provided to the IdP for each fingerprint? The text talks about “single” fingerprint in the object. Or, are all fingerprints included in the same JSON object?
>  
> 

As you point out, all that is the Identity assertion definition defines is how to encode it and that’s base 64 of JSON so that part is fine. Section 5.6.4.1 is about how it Identity is used in the contact of WebRTC. How the IdP does this is pretty out of scope of IETF stuff but I think you raise a good point that this implies that in the WebRTC case, if there 

>  
> Second, it is unclear what “attribute MUST include all fingerprint values” means. I assume that the attribute will only include a single attribute assertion value, but that the value will be generated by the IdP based on all fingerprint values?
>  
>  
>  
> Q3: 
> ----
>  
> In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it is a media-level attribute. AFAIR, media-level attributes cannot be included as session-level attributes.
>  
>  

Section 8 of RFC4572 that defines the fingerprint attribute says that it is both at session and media-level attribute.  (2nd para of https://tools.ietf.org/html/rfc4572#section-8 )

v2.23.0 | Report a Bug | By Email