Re: [rtcweb] RTCWeb and STIR

"Peterson, Jon" <jon.peterson@neustar.biz> Wed, 11 May 2016 20:54 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2C112D50B for <rtcweb@ietfa.amsl.com>; Wed, 11 May 2016 13:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.601
X-Spam-Level:
X-Spam-Status: No, score=-102.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-foj4pCYxbI for <rtcweb@ietfa.amsl.com>; Wed, 11 May 2016 13:54:24 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 127C212B038 for <rtcweb@ietf.org>; Wed, 11 May 2016 13:54:23 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by m0049401.ppops.net-0018ba01. (8.16.0.17/8.16.0.17) with SMTP id u4BKrMc1007605; Wed, 11 May 2016 16:54:16 -0400
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by m0049401.ppops.net-0018ba01. with ESMTP id 22vas412sh-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Wed, 11 May 2016 16:54:16 -0400
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.94]) by stntexhc10.cis.neustar.com ([169.254.4.235]) with mapi id 14.03.0279.002; Wed, 11 May 2016 16:54:16 -0400
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Harald Alvestrand <harald@alvestrand.no>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Thread-Topic: [rtcweb] RTCWeb and STIR
Thread-Index: AQHRqjHPcniNxw+EFUKqnnViZRV4Yp+yB8SAgAIAGYA=
Date: Wed, 11 May 2016 20:54:15 +0000
Message-ID: <D358DF9E.18BA35%jon.peterson@neustar.biz>
References: <1D53717F-3679-4E9C-B612-FA75BFF13032@iii.ca> <57318BF1.4050006@alvestrand.no>
In-Reply-To: <57318BF1.4050006@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.12.151]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B0F8A98D00015144BEC82941262FF5A9@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-05-11_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1605110276
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/m6C7GavkZg8dANbZ15bTOHnvYJg>
Cc: "Wendt, Chris" <Chris_Wendt@cable.comcast.com>
Subject: Re: [rtcweb] RTCWeb and STIR
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 20:54:26 -0000

STIR is planning on moving the fingerprint syntax to a JSON array anyway.
I think we could easily get the PASSporT object aligned with the syntax in
rtcweb-security-arch 5.6.4. So I think the fixes in 3.2 can probably be
made - though I agree (per 3.7) we should try to make the encoding of the
digest as compact as we can across the two mechanisms, which might warrant
some more discussion.

The really interesting interworking question, as Cullen's draft suggests,
is how to prevent the "grossness" that results from the fact that STIR
today carries its identity assertion in a SIP header, whereas WebRTC
carries its assertion as an SDP attribute. The last thing we'd want is to
do both redunantly. It does look like, provided we can get fingerprints
into alignment, it would at least be possible to translate the SDP
attribute into a SIP header and vice versa.

A number of the smaller fixes that Cullen proposes for WebRTC seem like
they could be helpful: as some are just adding extensions to the existing
a=identity attribute, which the rtcweb-security-arch spec allows, so much
of that is painless. Support for multiple identity assertions in one SDP
session seems like it would be valuable for non-STIR IdP use cases even.
Questions like Cullen's 3.3.3, whether or not it would be better to break
the domain and protocol out of the base64 encoded assertion, are things
that would be nice to have, though I imagine people are reluctant to
reopen rtcweb-security-arch at this point.

Most of the questions about the identifiers carried in the assertion are
cases where, at least on the PASSporT side, extensibility should be able
to take care of them. The 3.6 question of whether identity should focus on
RFC822-style names versus URIs is an interesting one: I'd venture it would
be perfectly valid to define a PASSporT claim type for those, in addition
to having URIs and telephone numbers as options (also, there's already a
baseline JWS "email" claim that might serve). Per 3.9, I've been imagining
a PASSporT extension specifically for conferencing architectures -
possibly more than one will be required, to support centralized vs. mesh.

This is a very handy document to have though, I think I understand the
interworking story a lot better than I did before.

Jon Peterson
Neustar, Inc.

On 5/10/16, 12:21 AM, "rtcweb on behalf of Harald Alvestrand"
<rtcweb-bounces@ietf.org on behalf of harald@alvestrand.no> wrote:

>Den 09. mai 2016 22:31, skrev Cullen Jennings:
>> 
>> 
>> I've been looking at how WebRTC Identity and STIR work together and put
>>together a worked out example at
>> 
>> http://www.ietf.org/id/draft-jennings-stir-rtcweb-identity-00.txt
>> 
>> It does not propose any significant changes to WebRTC but it does point
>>at a few syntax changes that might make things easier.
>> 
>> Probably the key change for RTCWeb would be to unify the syntax we use
>>for DTLS-SRTP fingerprints.
>
>
>The fingerprint syntax comes from SDP/DTLS, not from RTCWeb, I believe.
>
>It might be best for STIR to either get with the party or propose an SDP
>change for DTLS.
>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>> 
>
>_______________________________________________
>rtcweb mailing list
>rtcweb@ietf.org
>https://www.ietf.org/mailman/listinfo/rtcweb