IETF Logo Mail Archive

Re: [rtcweb] JSEP fingerprint hash requirements

Martin Thomson <martin.thomson@gmail.com> Fri, 18 October 2013 16:34 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BA811E8301 for <rtcweb@ietfa.amsl.com>; Fri, 18 Oct 2013 09:34:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.525
X-Spam-Level:
X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EmN5BrpoB5Zp for <rtcweb@ietfa.amsl.com>; Fri, 18 Oct 2013 09:34:46 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 7895611E8286 for <rtcweb@ietf.org>; Fri, 18 Oct 2013 09:34:41 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id cb5so1284300wib.1 for <rtcweb@ietf.org>; Fri, 18 Oct 2013 09:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Axeru3SD5nAjFUl2Ik3wJMCus9jdGMZPsqmZD8gLjUQ=; b=W4VqbwUT6EoXbbo3EsJQszAqALh0EdmVARxMURZAN721+Tnyc1mvNLGX1cK5PsYai8 JgPHN1luCh52lvDFngmo2AgCYfs2CpDQbybiABWkT/bfNeVyJ7g6cGGUcPMiKo9Pf2JT cr57i9MKTioBkXC7L2hz7VjvGgT9njg7ENPyJFOGRjFwgaxd+IiHp97MjVFjbeg+7XrQ wF33CDq1PqtQT3JyKONk0mGRMMFVf4+habovakQ6ylai+i6CplPUMQ/x6HhOI4aAhxk/ yV94mOM+9NVs5WmWbNl0cJPyC5O0d43f1YoNze32lZrks+fmgtmibeRi/2TonnA16B3G GlAw==
MIME-Version: 1.0
X-Received: by 10.180.9.139 with SMTP id z11mr186795wia.22.1382114080678; Fri, 18 Oct 2013 09:34:40 -0700 (PDT)
Received: by 10.227.202.194 with HTTP; Fri, 18 Oct 2013 09:34:40 -0700 (PDT)
In-Reply-To: <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com>
References: <CAMvTgcfvaUMWJaD5zX2rt6DWOWBgHEA-SqNtOqxs_bOqw_Ygbg@mail.gmail.com> <CABkgnnXBdQOgs9OKYRrU4wYRghj3WH30=vo-q7iSVjUub1SKow@mail.gmail.com> <CABcZeBOGjsOTXPtAFh+KR9SDQv8tEtUDE3gLvSN+f5dZ2R2R1Q@mail.gmail.com>
Date: Fri, 18 Oct 2013 09:34:40 -0700
Message-ID: <CABkgnnVTv4jVZkCDHWKk_X8yb3VEGBLXh+sW00OCG6RXMNkpgA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] JSEP fingerprint hash requirements
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 16:34:47 -0000

On 17 October 2013 18:38, Eric Rescorla <ekr@rtfm.com> wrote:
> I'm not sure this was a sensible rule on 4572, but I don't think it's
> particularly harmful.

Right.  I'd have gone with a rule that said: MUST validate a
"strong-enough" hash; MAY ignore others; MUST fail validation if any
hash doesn't match.  That gives you backwards compatibility + hash
agility.

That only works of course if there is only one potential certificate
that can be used.  If you have to allow for several, then that doesn't
work.  But then you lose the advantages of the above.

>> That should probably be written down, of course.
>
> Agreed.

The question is: where?

I have a few hours, maybe I can write down an update to 4572 that fixes this.

v2.23.0 | Report a Bug | By Email