IETF Logo Mail Archive

Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)

Ted Hardie <ted.ietf@gmail.com> Thu, 24 May 2018 17:50 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E416D12EAD0; Thu, 24 May 2018 10:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6bV4WpZDDcr; Thu, 24 May 2018 10:50:31 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E57112E88B; Thu, 24 May 2018 10:50:31 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id p62-v6so2232502oie.10; Thu, 24 May 2018 10:50:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Oz7cQMydx2a1Yl0YwahS3z2Oa/C41QDK5UbXyCP68oY=; b=f1iBsMSYRCjfJ6ILj477KI1W9oVQ9QQnvnl9Pu85QwXhLnwtMQ6GpddCCnVmcrFP5s QNfHz2Ck0YK/1NNa9ACL6J5XAYQYrKcOZlK5uETRBKARmsM2qAhQKaB0pz2TOtPpbeEZ IPvF2jZzITVAD7IO8ICjZxZO3KCGLdEDuX+4eFDCJQyuYjWUUdH+FpNAO2fisyIymmN8 rJdEldqRBJcfhUyLe7uW1deUzWkxWDK2oVCqvIGtX/hVvr5XcCueBL5AXcr4FHosSA6W Q2Yt61StttN6KvkPFqhxeVyyjYLvqXDklnceGFC65vSyqqRki/5hj3rrTqLgK/+PFS2E rwJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Oz7cQMydx2a1Yl0YwahS3z2Oa/C41QDK5UbXyCP68oY=; b=Es3LL1sdFCKgStYFYyrzSIZentyv1D8qSRmsC5ot7B38CkNBisIK41S1flohjDXJsY FFIc+N/3A8YdHNL7/BKJL3rdkbOTtuyXI2MLazwfmmOvrQlQGI+sZaTQdD+NK12oq8Cq udZ1nyFg3FMhVgk2YyEcg58ng9uEBuiXFICiZCLJmWYLzGCA3B03y56JQYA7fF3boYDY NufC4S0T5nUdgJDMKzY3zacLcYMwmDPRIFAYp/qvMHVpy3pZzbsNMyaup0W7TegubIB2 C01wcpL0GggVsUDldyFTvFDjbm62398EZBe5bhXbzEbEcgTHYeNM/7hwU/lDoWGEVHM2 +eVQ==
X-Gm-Message-State: ALKqPwfQtyFBsAPSiDsnaR9MlEEEGFRf7ApIwvJQyoIWOFL/b7bZh8NZ s88axI6aU2n7vE+w7Iv9MTMdySZxEQNXVfnCpew=
X-Google-Smtp-Source: AB8JxZqTKepRiJRNy0MhD6C1+iNOoAl4xMipTnez5GId14iwaQ2iJ/p/xcUzZvzTn3No8y8GPxC74aJN4FBy698rQKY=
X-Received: by 2002:aca:5f0b:: with SMTP id t11-v6mr4651953oib.103.1527184230179; Thu, 24 May 2018 10:50:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:66d5:0:0:0:0:0 with HTTP; Thu, 24 May 2018 10:49:59 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 24 May 2018 10:49:59 -0700
Message-ID: <CA+9kkMB_SmOwjh7Qh2rpYYLBOwDgmYg9Ai4768zOwwVLUA-wXA@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: RTCWeb IETF <rtcweb@ietf.org>, "sdp-directorate-private@ietf.org" <sdp-directorate-private@ietf.org>, "rtcweb-chairs@ietf.org" <rtcweb-chairs@ietf.org>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, "adam@nostrum.com" <adam@nostrum.com>, Ben Campbell <ben@nostrum.com>
Content-Type: multipart/alternative; boundary="0000000000008be734056cf7495b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/lZhhFwQVkktWRs_LtdyIuGiOOnk>
Subject: Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 17:50:34 -0000

Hi Christer,

Can you let us know which of those you believe are still outstanding?

Ted

On Thu, May 24, 2018 at 1:19 AM, Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
>
>
> Below is my SDP directorate review of the SDP Identity attribute, defined
> in draft-ietf-rtcweb-security-arch-14.
>
>
>
> Most of the comments have previously been given as individual comments by
> Paul K and myself. Some have also been addressed by Sean T, but I will
> include them for completeness.
>
>
>
> ---
>
>
>
> Q0 (Scope):
>
>
>
> As the SDP attribute definition should be able to stand on its own legs,
> there should be a description/reference to the IdP solution that it is used
> for.
>
>
>
> Also, if the usage of the attribute is scoped to devices implementing the
> WebRTC specification, that should be indicated.
>
>
>
> ---
>
>
>
> Q1 (Structure):
>
>
>
> The document lacks the offer/answer procedure structure used for SDP
> attributes.
>
>
>
> X.1  Generating the Initial Offer
>
> X.2  Generating the Answer
>
> X.3  Offerer Processing of the Answer
>
> X.4  Modifying the Session
>
>
>
> Based on discussion in MMUSIC, it is also good to clarify that “initial
> offer” refers to the offer where the extension is first introduced.
>
>
>
> The O/A procedures also need to cover the case when an offer/answer from a
> peer does not include an Identity attribute.
>
>
>
> ---
>
>
>
> Q2 (Missing information):
>
>
>
> The mux category is missing.
>
>
>
> ---
>
>
>
> Q3 (Grammar):
>
>
>
> The current ABNF says:
>
>
>
>     identity-attribute  = "identity:" identity-assertion
>
>                                          [ SP identity-extension
>
>                                          *(";" [ SP ] identity-extension) ]
>
>
>
> This mixes the usage of space and semicolon for separating identity
> assertions. Please use one:
>
>
>
>     identity-attribute  = "identity:" identity-assertion
>
>                                         *( SP identity-extension )
>
>
>
> …or:
>
>
>
>     identity-attribute  = "identity:" identity-assertion
>
>                                         *(";" identity-extension)
>
>
>
> ---
>
>
>
> Q4 (Attribute definition):
>
>
>
> Historically there have been problems with the definitions of new SDP
> attributes. Especially, the manner of defining the syntax was inconsistent.
> RFC4566 gave insufficient guidance on how to do this.
> draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided more
> guidance on how to do this. Please do your definitions in that style. For
> instance:
>
>
>
>     5.6.4.2  a=identity Attribute
>
>
>
>     The identity attribute is session level only.  It contains an
>
>     identity assertion, encoded as a base-64 string [RFC4648].
>
>
>
>       Attribute Name: identity
>
>
>
>       Attribute Value: identity-value
>
>
>
>       Usage Level: session
>
>
>
>       Charset Dependent: No
>
>
>
>       Mux Category: ???
>
>
>
>     The Augmented BNF syntax [2] for the attribute is:
>
>
>
>     identity-attribute  = "identity:" identity-assertion
>
>                                         *( SP identity-extension )
>
>
>
>     [continue on with remainder of section.]
>
>
>
> ---
>
>
>
> Q5:
>
>
>
> The draft says that, at minimum, the fingerprint needs to be bound to the
> identity.
>
>
>
> First, I assume this means that, for each assertion, the associated SDP
> fingerprint attribute must be included in the offer/answer. If so, please
> include text about that.
>
>
>
> Second, it would be good to indicate that, in the SDP, there is no link
> between a given assertion and the associated fingerprint.
>
>
>
> ---
>
>
>
> Q6:
>
>
>
> Section 5.6.4.1 says:
>
>
>
>    "The "a=identity" attribute MUST include all
>
>    fingerprint values that are included in "a=fingerprint" lines."
>
>
>
> It is unclear what “attribute MUST include all fingerprint values” means.
> I assume that the text should say something like:
>
>
>
>    "The "a=identity" attribute MUST include an assertion for each
>
>    a=fingerprint attribute value that are included in the SDP offer/answer.”
>
>
>
> It should also be clarified that, if the attribute is used on media-level in an m- section, it contains the assertion for each fingerprint associated with that m- section.
>
>
>
> ---
>
>
>
> Q7:
>
>
>
> Section 5.6.4.2 says:
>
>
>
>   “The semantics of multiple identity attributes are undefined.”
>
>
>
> First, I don’t see the difference in having a single attribute with multiple assertions, or multiple attributes with single assertions. Having said that, if we only want to allow one way, I would suggest to simply forbid multiple attributes.
>
>
>
> Second, it needs to be clarified that the rule apply to a given m- section.
>
>
>
> ---
>
>
>
> Q8:
>
>
>
> In the example in Section 5.6.4.1 the SDP fingerprint attribute is
> included as a session-level attribute. However, it is currently only
> defined as a media-level attribute.
>
>
>
> ---
>
>
>
> Regards,
>
>
>
> Christer
>

v2.23.0 | Report a Bug | By Email