Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
Ted Hardie <ted.ietf@gmail.com> Thu, 24 May 2018 17:50 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E416D12EAD0; Thu, 24 May 2018 10:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6bV4WpZDDcr; Thu, 24 May 2018 10:50:31 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E57112E88B; Thu, 24 May 2018 10:50:31 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id p62-v6so2232502oie.10; Thu, 24 May 2018 10:50:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Oz7cQMydx2a1Yl0YwahS3z2Oa/C41QDK5UbXyCP68oY=; b=f1iBsMSYRCjfJ6ILj477KI1W9oVQ9QQnvnl9Pu85QwXhLnwtMQ6GpddCCnVmcrFP5s QNfHz2Ck0YK/1NNa9ACL6J5XAYQYrKcOZlK5uETRBKARmsM2qAhQKaB0pz2TOtPpbeEZ IPvF2jZzITVAD7IO8ICjZxZO3KCGLdEDuX+4eFDCJQyuYjWUUdH+FpNAO2fisyIymmN8 rJdEldqRBJcfhUyLe7uW1deUzWkxWDK2oVCqvIGtX/hVvr5XcCueBL5AXcr4FHosSA6W Q2Yt61StttN6KvkPFqhxeVyyjYLvqXDklnceGFC65vSyqqRki/5hj3rrTqLgK/+PFS2E rwJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Oz7cQMydx2a1Yl0YwahS3z2Oa/C41QDK5UbXyCP68oY=; b=Es3LL1sdFCKgStYFYyrzSIZentyv1D8qSRmsC5ot7B38CkNBisIK41S1flohjDXJsY FFIc+N/3A8YdHNL7/BKJL3rdkbOTtuyXI2MLazwfmmOvrQlQGI+sZaTQdD+NK12oq8Cq udZ1nyFg3FMhVgk2YyEcg58ng9uEBuiXFICiZCLJmWYLzGCA3B03y56JQYA7fF3boYDY NufC4S0T5nUdgJDMKzY3zacLcYMwmDPRIFAYp/qvMHVpy3pZzbsNMyaup0W7TegubIB2 C01wcpL0GggVsUDldyFTvFDjbm62398EZBe5bhXbzEbEcgTHYeNM/7hwU/lDoWGEVHM2 +eVQ==
X-Gm-Message-State: ALKqPwfQtyFBsAPSiDsnaR9MlEEEGFRf7ApIwvJQyoIWOFL/b7bZh8NZ s88axI6aU2n7vE+w7Iv9MTMdySZxEQNXVfnCpew=
X-Google-Smtp-Source: AB8JxZqTKepRiJRNy0MhD6C1+iNOoAl4xMipTnez5GId14iwaQ2iJ/p/xcUzZvzTn3No8y8GPxC74aJN4FBy698rQKY=
X-Received: by 2002:aca:5f0b:: with SMTP id t11-v6mr4651953oib.103.1527184230179; Thu, 24 May 2018 10:50:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:66d5:0:0:0:0:0 with HTTP; Thu, 24 May 2018 10:49:59 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 24 May 2018 10:49:59 -0700
Message-ID: <CA+9kkMB_SmOwjh7Qh2rpYYLBOwDgmYg9Ai4768zOwwVLUA-wXA@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: RTCWeb IETF <rtcweb@ietf.org>, "sdp-directorate-private@ietf.org" <sdp-directorate-private@ietf.org>, "rtcweb-chairs@ietf.org" <rtcweb-chairs@ietf.org>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, "adam@nostrum.com" <adam@nostrum.com>, Ben Campbell <ben@nostrum.com>
Content-Type: multipart/alternative; boundary="0000000000008be734056cf7495b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/lZhhFwQVkktWRs_LtdyIuGiOOnk>
Subject: Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 17:50:34 -0000
Hi Christer, Can you let us know which of those you believe are still outstanding? Ted On Thu, May 24, 2018 at 1:19 AM, Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Hi, > > > > Below is my SDP directorate review of the SDP Identity attribute, defined > in draft-ietf-rtcweb-security-arch-14. > > > > Most of the comments have previously been given as individual comments by > Paul K and myself. Some have also been addressed by Sean T, but I will > include them for completeness. > > > > --- > > > > Q0 (Scope): > > > > As the SDP attribute definition should be able to stand on its own legs, > there should be a description/reference to the IdP solution that it is used > for. > > > > Also, if the usage of the attribute is scoped to devices implementing the > WebRTC specification, that should be indicated. > > > > --- > > > > Q1 (Structure): > > > > The document lacks the offer/answer procedure structure used for SDP > attributes. > > > > X.1 Generating the Initial Offer > > X.2 Generating the Answer > > X.3 Offerer Processing of the Answer > > X.4 Modifying the Session > > > > Based on discussion in MMUSIC, it is also good to clarify that “initial > offer” refers to the offer where the extension is first introduced. > > > > The O/A procedures also need to cover the case when an offer/answer from a > peer does not include an Identity attribute. > > > > --- > > > > Q2 (Missing information): > > > > The mux category is missing. > > > > --- > > > > Q3 (Grammar): > > > > The current ABNF says: > > > > identity-attribute = "identity:" identity-assertion > > [ SP identity-extension > > *(";" [ SP ] identity-extension) ] > > > > This mixes the usage of space and semicolon for separating identity > assertions. Please use one: > > > > identity-attribute = "identity:" identity-assertion > > *( SP identity-extension ) > > > > …or: > > > > identity-attribute = "identity:" identity-assertion > > *(";" identity-extension) > > > > --- > > > > Q4 (Attribute definition): > > > > Historically there have been problems with the definitions of new SDP > attributes. Especially, the manner of defining the syntax was inconsistent. > RFC4566 gave insufficient guidance on how to do this. > draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided more > guidance on how to do this. Please do your definitions in that style. For > instance: > > > > 5.6.4.2 a=identity Attribute > > > > The identity attribute is session level only. It contains an > > identity assertion, encoded as a base-64 string [RFC4648]. > > > > Attribute Name: identity > > > > Attribute Value: identity-value > > > > Usage Level: session > > > > Charset Dependent: No > > > > Mux Category: ??? > > > > The Augmented BNF syntax [2] for the attribute is: > > > > identity-attribute = "identity:" identity-assertion > > *( SP identity-extension ) > > > > [continue on with remainder of section.] > > > > --- > > > > Q5: > > > > The draft says that, at minimum, the fingerprint needs to be bound to the > identity. > > > > First, I assume this means that, for each assertion, the associated SDP > fingerprint attribute must be included in the offer/answer. If so, please > include text about that. > > > > Second, it would be good to indicate that, in the SDP, there is no link > between a given assertion and the associated fingerprint. > > > > --- > > > > Q6: > > > > Section 5.6.4.1 says: > > > > "The "a=identity" attribute MUST include all > > fingerprint values that are included in "a=fingerprint" lines." > > > > It is unclear what “attribute MUST include all fingerprint values” means. > I assume that the text should say something like: > > > > "The "a=identity" attribute MUST include an assertion for each > > a=fingerprint attribute value that are included in the SDP offer/answer.” > > > > It should also be clarified that, if the attribute is used on media-level in an m- section, it contains the assertion for each fingerprint associated with that m- section. > > > > --- > > > > Q7: > > > > Section 5.6.4.2 says: > > > > “The semantics of multiple identity attributes are undefined.” > > > > First, I don’t see the difference in having a single attribute with multiple assertions, or multiple attributes with single assertions. Having said that, if we only want to allow one way, I would suggest to simply forbid multiple attributes. > > > > Second, it needs to be clarified that the rule apply to a given m- section. > > > > --- > > > > Q8: > > > > In the example in Section 5.6.4.1 the SDP fingerprint attribute is > included as a session-level attribute. However, it is currently only > defined as a media-level attribute. > > > > --- > > > > Regards, > > > > Christer >
- Re: [rtcweb] SDP directorate review of SDP Identi… Martin Thomson
- [rtcweb] SDP directorate review of SDP Identity a… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Ted Hardie
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg