[rtcweb] security-arch: Identity Assertions

Michael Procter <michael@voip.co.uk> Tue, 15 July 2014 12:07 UTC

Return-Path: <michael@voip.co.uk>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF571B2884 for <rtcweb@ietfa.amsl.com>; Tue, 15 Jul 2014 05:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.379
X-Spam-Level:
X-Spam-Status: No, score=-2.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_111=0.6, J_CHICKENPOX_18=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id butLjGuUdYxg for <rtcweb@ietfa.amsl.com>; Tue, 15 Jul 2014 05:07:51 -0700 (PDT)
Received: from mail-wi0-f177.google.com (na3sys009aog120.obsmtp.com [74.125.149.140]) by ietfa.amsl.com (Postfix) with SMTP id BFD441B286C for <rtcweb@ietf.org>; Tue, 15 Jul 2014 05:07:50 -0700 (PDT)
Received: from mail-wi0-f177.google.com ([209.85.212.177]) (using TLSv1) by na3sys009aob120.postini.com ([74.125.148.12]) with SMTP ID DSNKU8UZlk6ALLDGyqdALb8UqAQLFVY9Mn07@postini.com; Tue, 15 Jul 2014 05:07:50 PDT
Received: by mail-wi0-f177.google.com with SMTP id ho1so4186362wib.10 for <rtcweb@ietf.org>; Tue, 15 Jul 2014 05:07:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=a1USM5uCWRICid80YlXYXvamQW9qlhRW/2z+WwISSi8=; b=ag4eO6T5HB1f+XO6mMcgrM9KnAqRYxjy/YWWf1yatbGzhKyo6mL3k9w8UX1/3ldgy3 Rj7UmFawtQOsuAUUI+rVuj0xJRIybC42e4xbSVvu2XiSTgV8TUkgLHl5D8eOHupjIWBV JASBzRG3j+H6K/7R5ge9B0I4bPVtqoVXh4cEVQnl5tIiRA7I8KVsw+nas48Fk+FLxP24 /BGTUvtbN82hcQ8sblRNbSaE6IfVlsbFla6OsuNpixVI+8L5gLs6nDGl/eYfEP8R/QtK gwSu1GSJ5t8b1Qpl+GuCBWq8BKzdVkHiH/Fv5J0uIav89ePdISmz3QoKHJeT0Nf/YCas Z1Eg==
X-Gm-Message-State: ALoCoQkq1g7s+iZaS8BiYBYU6mzLJIomyqM3QDRFh/ZOpnxILI6htXr4oQ3nFIqoWzb7ZK+t/xIVKrTaGDMzGDQSo8OUiy6CdwkI7V53NYuf+SL4Xjma7fY0YNwyKB6qGfbvbPg5jqul
X-Received: by 10.180.207.48 with SMTP id lt16mr5232694wic.32.1405426069261; Tue, 15 Jul 2014 05:07:49 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.207.48 with SMTP id lt16mr5232682wic.32.1405426069159; Tue, 15 Jul 2014 05:07:49 -0700 (PDT)
Received: by 10.194.60.178 with HTTP; Tue, 15 Jul 2014 05:07:49 -0700 (PDT)
Date: Tue, 15 Jul 2014 13:07:49 +0100
Message-ID: <CAPms+wTM=z1--PaimYW51Q4Ou9A1u+HuXEjZ=3dVY6WJL2=4=g@mail.gmail.com>
From: Michael Procter <michael@voip.co.uk>
To: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/aVBzDEHZFGRcpcBKif2Wxd1XUH8
Subject: [rtcweb] security-arch: Identity Assertions
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 12:08:00 -0000

I've been reading the security-arch draft, and I think there is a part
that should be removed.  In section 5.6.4.2, the second paragraph
starts:

   Each identity attribute should be paired (and attests to) with an
   a=fingerprint attribute and therefore can exist either at the session
   or media level. Multiple identity attributes may appear at either level,
   though it is RECOMMENDED that implementations not do this, [...]

This conflicts with the next section which begins:

  The identity attribute is session level only.

The notion of pairing identity with fingerprint attributes also seems
to conflict with the third paragraph which contains:

   The a=identity attribute MUST include all fingerprint values that are
   included in a=fingerprint lines

I think the whole of the second paragraph can be removed without loss,
since the parts that don't conflict appear to be addressed in the
third paragraph of 5.6.4.2 anyway.

Regards,

Michael