IETF Logo Mail Archive

Re: [rtcweb] JSEP fingerprint hash requirements

Justin Uberti <juberti@google.com> Sat, 19 October 2013 02:23 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9C811E8135 for <rtcweb@ietfa.amsl.com>; Fri, 18 Oct 2013 19:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_111=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKlgGXoU9mmr for <rtcweb@ietfa.amsl.com>; Fri, 18 Oct 2013 19:23:10 -0700 (PDT)
Received: from mail-ve0-x236.google.com (mail-ve0-x236.google.com [IPv6:2607:f8b0:400c:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id E5B6311E8128 for <rtcweb@ietf.org>; Fri, 18 Oct 2013 19:23:09 -0700 (PDT)
Received: by mail-ve0-f182.google.com with SMTP id oy12so2395546veb.41 for <rtcweb@ietf.org>; Fri, 18 Oct 2013 19:23:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tfoTKs5zo9jSEMFzjtvB9P9iKvYbhRpM/ZrRX3ShG0Q=; b=O/Ph7RA+t0oPRcm6XZfwTFPtybeIvo5qeb3DRGPN9JDfgs8fRkZO5FNJOWDAi/uan/ ERfL5fFqX7MgAdjY4M66G9qk+qRbalyl35OnZmhh+E54oCRYgKs9P3zDcE2TXsAyNXaM fRK8RQ/dmsabZutilxs99Vmqq9GUF1lIdlUnGibemKa9xYwMLmmdh4xEFRH/KOBKF1GU GA6UwTigg8I6CrN7vSVfg55o9kkjME7kN4tKHCof26X02ccIj7pRa/0pkaMwWhcSuiHc n8c3gWzhB/2YCkcnXM9G9+2sxH9B86oAr/pMy5mB9Zd349sbJ2PlWsVARB5E3K7ON1r3 +2JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=tfoTKs5zo9jSEMFzjtvB9P9iKvYbhRpM/ZrRX3ShG0Q=; b=C/7h7XSTzaGDbaNe4e/MauU04p8b7U71YWgYfVoW3mZ7usvvJTyXYYVTyPvQIVF4Bu Lhp+3XrWIXAkFwaRcAPGREcLsYCBGO0j+3SeomYrSsw8yjWq3tnvoNY/+Dj4jGPQvlk6 RXvyCQzYZF6KfpUWxXqKKCgDq5DBYUvuWzH/2vv+c0AhvRW3M55AF9SujiLaB8eQEWGD oHD9r1kt7lkQEx+Jq7HOgfC1skuZVW59dGVGsQIGW+q8iXUySosJWUtjPTfXWgeGftiY bSIBygKq0vvIiIXbNF/6xHQz5/4mxCfXhHrw8TgVXhRSMESd5hYr1ufrpYco7NRHGPwX 2zhw==
X-Gm-Message-State: ALoCoQmPEI8dBqiOQSwFzTQSxO09K2wjbEbtjK3YdiNss99WIUXB2Mk3pHfUhf4MUvx1dIQP5hLNLaw5QhOvJ2xJuofdEeUv/VnbDrpzPDwLUFyE/yqJU0T2/yXTTITHXkeWBhyO8DH+qrCVagN4+66Dx2R0Nt1kA/Xvt8e5c3mOmrZbmluyQ4wMZPNPHeu4vy7nmySi3Mw3
X-Received: by 10.58.168.205 with SMTP id zy13mr3394445veb.19.1382149389274; Fri, 18 Oct 2013 19:23:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.110.101 with HTTP; Fri, 18 Oct 2013 19:22:49 -0700 (PDT)
In-Reply-To: <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Fri, 18 Oct 2013 19:22:49 -0700
Message-ID: <CAOJ7v-1W2-u4wCDc2yw7MRrJOnHtDpUJgAbsS4sogymosc8yyA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b6dc2245ff74304e90ebb38"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Oct 2013 02:23:10 -0000

FWIW others have complained about this exact thing in JSEP and it will be
fixed in the -05 version (to agree with 4572).


On Thu, Oct 17, 2013 at 11:54 AM, Martin Thomson
<martin.thomson@gmail.com>wrote:

> On 17 October 2013 01:37, Kevin Dempsey <kevindempsey70@gmail.com> wrote:
> > 1) does the fingerprinh hash need to match the certificate
>
> Yes.  Without that, you've got no binding between signaling and media
> path, which is bad.
>
> > 2) do webrtc compatible endpoints need to handle hashes 'weaker' than
> > sha-256
>
> No.  RFC 4572 is clear:
>    A certificate fingerprint MUST be computed using the same one-way
>    hash function as is used in the certificate's signature algorithm.
>
> That means that you need to generate the certificate with a hash that
> is strong enough.
>
> > 3) are there any rules for handling multiple fingerprints?
>
> RFC 4572 is silent on that, unless I missed something, which I
> probably did.  The only plausible choice given the above statement
> from 4572 is to suggest that multiple a=fingerprint values indicate
> alternative certificates.
>
> That should probably be written down, of course.
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email