Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
Christer Holmberg <christer.holmberg@ericsson.com> Fri, 18 May 2018 06:43 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92EC12741D for <rtcweb@ietfa.amsl.com>; Thu, 17 May 2018 23:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gRhyHPtqqyz for <rtcweb@ietfa.amsl.com>; Thu, 17 May 2018 23:43:16 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 732C2127342 for <rtcweb@ietf.org>; Thu, 17 May 2018 23:43:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1526625793; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xIw9aaonw/foDzPzVSdIWIYglMCkNBzwD5iDI7y1R9c=; b=RRQjRknrP7ocuPcIjbHF8NPduLhezfbbDFEa+UkDOfaKB9wLmGx/UXQ1prJdAMVQ KFb5ulyOoG3C9VDEykQm9kasBiCWW6mlvj0WYgHxVdEBxb41hOcuzka5EBTt5RGL LpOsVFa9ni31fewbzeguz12OiPZkn29egWE1zTgSQ1Y=;
X-AuditID: c1b4fb2d-a6b079c00000050d-c1-5afe7601cd26
Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.183.81]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 5B.DE.01293.1067EFA5; Fri, 18 May 2018 08:43:13 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.29]) by ESESSHC021.ericsson.se ([153.88.183.81]) with mapi id 14.03.0382.000; Fri, 18 May 2018 08:42:05 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Cullen Jennings <fluffy@iii.ca>
CC: RTCWeb IETF <rtcweb@ietf.org>
Thread-Topic: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
Thread-Index: AQHT6RGfenU2OZxm10q2tYkeSmM/qKQ0G04AgAAiMMCAAOi6AA==
Date: Fri, 18 May 2018 06:42:04 +0000
Message-ID: <D72450E1.2FE33%christer.holmberg@ericsson.com>
References: <D71B49BA.2F885%christer.holmberg@ericsson.com> <C3E953BF-3C77-4ABF-B1C8-DD487D814293@iii.ca> <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B72EEFB16@ESESSMB109.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [131.160.50.130]
Content-Type: multipart/alternative; boundary="_000_D72450E12FE33christerholmbergericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDIsWRmVeSWpSXmKPExsUyM2J7oC5j2b8og85eRYsP638wWqz9187u wOSxZMlPJo/L5z8yBjBFcdmkpOZklqUW6dslcGX0L2hjK1jZzVjR0D6PuYFxSlUXIyeHhICJ xNWt11m7GLk4hASOMErMbX4I5SxmlGjZ+5G5i5GDg03AQqL7nzZIg4iAssS5HXeZQWxmAUWJ L8vns4HYwgIxEnNnd7JC1MRK3N+/jRnCdpJY9v4/WJxFQFVi/coesHpeAWuJb08amSB2rWeU +HbtBivILk4BP4lnE0pBahgFxCS+n1rDBLFLXOLWk/lMEEcLSCzZc54ZwhaVePn4H9h8UQE9 iQ0nbrODjJEQUJK4vcEJojVBYtWrn+wQawUlTs58wjKBUXQWkqmzkJTNQlIGETeQeH9uPjOE rS2xbOFrKFtfYuOXs4wQtrXE4isz2ZHVLGDkWMUoWpxaXJybbmSsl1qUmVxcnJ+nl5dasokR GIcHt/zW3cG4+rXjIUYBDkYlHt6zSf+ihFgTy4orcw8xSnAwK4nwWpkChXhTEiurUovy44tK c1KLDzFKc7AoifPqrdoTJSSQnliSmp2aWpBaBJNl4uCUamBsMdj226/BVNcjKqzJtPm9xozb Qp/cVX49+zVTcXn0NratDF4fjxisaTkaWLpj1QX1hbqnnQ8oJimqBz62//3JtFAv3GHJEcnD 83Yt4/xa93iFz8cjrGfvMv9WW/OAfZWveUCwVLr+xlfl8x8Yim2uvG1dfYJBeGbTQpNwYR95 OTaeJd1ly94psRRnJBpqMRcVJwIAytldQb8CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/o1LpQQW0JljQAVJLKYMkdHlmyOU>
Subject: Re: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2018 06:43:23 -0000
Resending, as it seems like my reply to Cullen yesterday got stucked somewhere on the Internet. Regards, Christer From: Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> Date: Thursday 17 May 2018 at 21:03 To: Cullen Jennings <fluffy@iii.ca<mailto:fluffy@iii.ca>> Cc: "rtcweb@ietf.org<mailto:rtcweb@ietf.org>" <rtcweb@ietf.org<mailto:rtcweb@ietf.org>> Subject: RE: [rtcweb] draft-ietf-rtcweb-security-arch: Questions on SDP identity attribute Hi, A few questions/comments on the SDP identity attribute. Q1: ---- The draft says that, at minimum, the fingerprint needs to be bound to the identity. Does this mean that, in order to include an SDP identity attribute in an offer/answer, the offer/answer MUST also contain at least one SDP fingerprint attribute? Based on the text about generating the identity it seems like that, but it is not very clear in the SDP procedures. JSEP requires DTLS/SRTP which requires adding the fingerprint so I think this is already required. Also JSEP points out lack of fingerprint will cause negotiation failure. This is not about JSEP, but the definition of the SDP identity attribute. As this attribute can (I assume) be used on the wire, it needs to defined as such. The USAGE of the attribute can then be scoped to WebRTC, JSEP, or whatever. Q2: ---- Section 5.6.4.1 says: "The "a=identity" attribute MUST include all fingerprint values that are included in "a=fingerprint" lines." First, related to the generation of the assertion value, it is unclear how this is implemented. For example, is there a separate JSON object (section 5.6.4) provided to the IdP for each fingerprint? The text talks about “single” fingerprint in the object. Or, are all fingerprints included in the same JSON object? Yah, I think it would get a Identity token for each fingerprint via a Generate Assertion for each fingerprint. But I think that is largely WebRTC issue. While it may be an WebRTC issue how to use multiple fingerprints in general, it is an SDP issue how to encode the attribute. Second, it is unclear what “attribute MUST include all fingerprint values” means. I assume that the attribute will only include a single attribute assertion value, but that the value will be generated by the IdP based on all fingerprint values? So if there were multiple fingerprint, the SDP would have multiple Identity lines. In that case I don’t understand the statement in section 5.6.4.2, that says: “The semantics of multiple identity attributes are undefined.” Also, to me “attribute MUST include all fingerprint values” sounds like a single attribute with multiple fingerprint values. Q3: ---- In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it is a media-level attribute. AFAIR, media-level attributes cannot be included as session-level attributes. I think fingerprint is valid as both session-level or media-level so I suspect this is fine. JSEP also says that if the certs are the same, then it can be session level but if different then must be media level. So I think this is covered in JSEP. JSEP does not define the attribute. If the attribute can be used both on session- and media-level it needs to be defined in such way in draft-ietf-rtcpweb-security-arch. Regards, Christer
- [rtcweb] draft-ietf-rtcweb-security-arch: Questio… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Paul Kyzivat
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Cullen Jennings
- Re: [rtcweb] draft-ietf-rtcweb-security-arch: Que… Christer Holmberg