Re: [rtcweb] Fwd: New Version Notification for draft-uberti-rtcweb-turn-rest-00.txt

Justin Uberti <juberti@google.com> Mon, 08 July 2013 20:09 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A2121F9D83 for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2013 13:09:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[AWL=-0.465, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCs5edC1AZ5g for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2013 13:09:30 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 2B29921F9B5C for <rtcweb@ietf.org>; Mon, 8 Jul 2013 13:09:20 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id q56so4095784wes.31 for <rtcweb@ietf.org>; Mon, 08 Jul 2013 13:09:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5FX7BNljhbf+rerzJLBX0ZtibZvO+H3jgtM8L8PSuVg=; b=KkTOsstCyFVVf/yZFyRU58nIefR7BZa6lXRg0WO62ZD/oeO/N0RrXmftsjEJpvLsJL RRg+p/Q2cK+jPmD4+xeGJ21cWoSn0ZTlUHd4TzQQ01ZmN2drwy31kPaTYQ8YLIjmbRYg QPSzUlVu+pa6ql3eMOHzMIeemFg1mJudgBg29DONHr+VrG90H/xYX0Dgpyypen57Gviq 5r+LiN1JQ3V8iZXGwleB1STb8XNpcGympDwTKQe7WIp0hVS2RMBfMsthyh+jscjLLGLF UWCiRNh0+GwUXCB/uxPO9SH3WpO8qyos3iYiBLcWLbtlis0Dq32jOUKKtvAvP+LQb9P/ dIGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=5FX7BNljhbf+rerzJLBX0ZtibZvO+H3jgtM8L8PSuVg=; b=VVVm2/eTgfpoPopHt8VJa0Ux94eDqXuNhROR98aiKw650bQanC2wjFd58A0+6nUDVy NB3KMp6FR2WsIoc6GwuohpfIikiDTObQLUXFezwlhRQzTmX/S2eTfDurLC4ElIM+Y9xD wpEPV4tuOOR5klATX/WjL/YNyKnNbg4GZHsQ5D8ZSTeRYtPgDB4Gptotf7UECYJX0jhA bB14JX5NmsY30Iu+wNsd+0ha3XeQayugj/0/JC+lkuoMPjtMEPZU26wZe4QZNTHVHV3Y trz+uQlJ8KqRpsZoAYMtoxx3PPhYgUD4OpWUfa0BuKaPlnJYkIK4wMRDT1ZvIOjSi3CK zAwg==
MIME-Version: 1.0
X-Received: by 10.180.80.6 with SMTP id n6mr30587907wix.59.1373314160161; Mon, 08 Jul 2013 13:09:20 -0700 (PDT)
Received: by 10.194.62.113 with HTTP; Mon, 8 Jul 2013 13:09:20 -0700 (PDT)
Received: by 10.194.62.113 with HTTP; Mon, 8 Jul 2013 13:09:20 -0700 (PDT)
In-Reply-To: <CABkgnnUa8=AVKW=uBMJm7XO10839PEbWQJ0kHqhHcJ7WDvgENg@mail.gmail.com>
References: <20130708041540.7930.93762.idtracker@ietfa.amsl.com> <CALe60zAs-NCJgiiHuFHi1ZEOdp2SB4v2-0AYrxBQ2R_gJ=nLcA@mail.gmail.com> <CAOJ7v-0Vxkf-4j-ZHCisKuORob_cL3ogXoexTFMDMJDEttRbaQ@mail.gmail.com> <51DAAF4B.4070004@viagenie.ca> <CABkgnnVexfPJcndtZrQfUSJHyMOQfC3YxH+-jZDrXm5L7evhSw@mail.gmail.com> <CAOJ7v-0k7teFe1rMaXBJpv0_eLJ+Qp9fX5+QQ5yOq8n_bQufhw@mail.gmail.com> <CABkgnnUa8=AVKW=uBMJm7XO10839PEbWQJ0kHqhHcJ7WDvgENg@mail.gmail.com>
Date: Mon, 8 Jul 2013 16:09:20 -0400
Message-ID: <CAOJ7v-0ARdB8b2TmtaWiyXR0nbNn66uTw6_sRtOU1fWHuYsQnw@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=14dae9cc955cae97c704e1059e72
X-Gm-Message-State: ALoCoQmbdml0pHoFMSigrTu2FB9gy7Vr1kSceWJkEN/JF2xxfZuVViQ7FGyT+hQiSmupwL/HyoqK9pOJzujSnkrsloCe1/QhUqaGPH9Mr+aJVzSxnwj/xMdHcfLE5eHw/uxI8rAbASDeLXdJfs8D8XErLGTjfSLPinuPxT+wfjy9v3IyP3YEX+IefY35pO18PHiw5KBEYE5c
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Fwd: New Version Notification for draft-uberti-rtcweb-turn-rest-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 20:09:31 -0000

On Jul 8, 2013 2:16 PM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>
> On 8 July 2013 11:02, Justin Uberti <juberti@google.com> wrote:
> > RFC 5766 mandates the use of the long-term credential mechanism. One of
the
> > goals of this proposal is to work with existing TURN servers, so it also
> > uses the long-term credential mechanism, the key point being that the
vended
> > credentials have finite lifetimes.
>
> You could update 5766 to remove this constraint (I forgot about that
> bit)...and the extra round trip required for the challenge.
>
> Or you could provide the client with a realm and nonce in the
> response, but that seems like a little too much.

The issue with using short term credentials, without a nonce, is the
possibility of replay attacks by an eavesdropper.

Passing realm and nonce solves this but is problematic because nonces need
to be per-allocation, so you'd need some sort of master nonce that could be
used for nonce generation. Plus the Rtciceserver API would need to be
expanded.