Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 24 May 2018 19:36 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346B312EB11 for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 12:36:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JPgGOomHhr7a for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 12:36:40 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E50F12EB13 for <rtcweb@ietf.org>; Thu, 24 May 2018 12:36:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1527190595; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=B23bjUF3hHQOUw42KOQd/Wj4AhO/5P18jnFHn9ZeR10=; b=Qi9UmaenyRiq133Xq7WiSpxdvoZeaGjKZhUrt396WnhJOpPnMVNoP4cAAJ0NErs5 uXXcEnbh3Rw9Tcq7Eh1kzsCKWIH4plG4A2bjNDdNjMeB9nYSYxHz4T+zkdPqVgzY yCUnC7eopWvOe2GwslVeM9ZHc0rUHPVa9edoxqUqLwM=;
X-AuditID: c1b4fb30-561ff700000065fb-5d-5b071443b32d
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.183.24]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id E7.B3.26107.344170B5; Thu, 24 May 2018 21:36:35 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.29]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0382.000; Thu, 24 May 2018 21:36:34 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Ted Hardie <ted.ietf@gmail.com>
CC: RTCWeb IETF <rtcweb@ietf.org>, "sdp-directorate-private@ietf.org" <sdp-directorate-private@ietf.org>, "rtcweb-chairs@ietf.org" <rtcweb-chairs@ietf.org>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, "adam@nostrum.com" <adam@nostrum.com>, Ben Campbell <ben@nostrum.com>
Thread-Topic: SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
Thread-Index: AdPzN1wT5XjwzlheSrOwvOSQwMHuDgAP4KCAAAfSrcA=
Date: Thu, 24 May 2018 19:36:34 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B72F06F33@ESESSMB109.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se> <CA+9kkMB_SmOwjh7Qh2rpYYLBOwDgmYg9Ai4768zOwwVLUA-wXA@mail.gmail.com>
In-Reply-To: <CA+9kkMB_SmOwjh7Qh2rpYYLBOwDgmYg9Ai4768zOwwVLUA-wXA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.170]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B72F06F33ESESSMB109erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMIsWRmVeSWpSXmKPExsUyM2K7hK6zCHu0wYfvuhZ7/i5it5jfeZrd 4vzO9UwWPW9vsFis/dfObvH00Q4Wi8a5dg7sHjtn3WX3WLLkJ5PHrJ1PWAKYo7hsUlJzMstS i/TtErgyPuy4xFzwbj5TxZEDy9gbGFfMYOpi5OSQEDCRaGh/y9jFyMUhJHCEUeL1m1tQzmJG icmNF1i6GDk42AQsJLr/aYM0iAgoS+y9soMNpIZZYDaTxNfuxSwgCWGBFIlni/ewQxSlSuzf voARwraSmL5lGVgNi4CqxK33y1hBbF4BX4k5e5+BxYUEpjBKfFyrD2JzCgRK7N51Few6RgEx ie+n1oDZzALiEreezIe6WkBiyZ7zzBC2qMTLx/9YIWwliTObnrNA1OdLPDrTyQ6xS1Di5Mwn LBMYRWYhGTULSdksJGWzgF5mFtCUWL9LH6JEUWJK90N2CFtDonXOXHZk8QWM7KsYRYtTi5Ny 042M9FKLMpOLi/Pz9PJSSzYxAqPy4JbfBjsYXz53PMQowMGoxMObw8MeLcSaWFZcmXuIUYKD WUmEt/sXW7QQb0piZVVqUX58UWlOavEhRmkOFiVxXgu/zVFCAumJJanZqakFqUUwWSYOTqkG RpPf/L6VNwoUvple61Cq99l0wr/C6tuByGNfM5Y1LLIVXbGDe9WxCfYPCzlOKr4V1r2tuYXz oFvpVVbDWQ6bLxUaVvDu8kzm/x2zZwLDS62TtRZzCprnbXzyVbWApYTrtMm+Da/NmX8qWd22 qWP0zFivbGWko9VjsynohKH/tuMHNBZYfzCaocRSnJFoqMVcVJwIAERfkaHGAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/s7Txd2wUzFEUp6-sYFn4egrIFdE>
Subject: Re: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:36:42 -0000
Hi,
>Can you let us know which of those you believe are still outstanding?
I believe all except Q2 are still outstanding.
Sean did have some input on Q0, but I am not sure there was ever an outcome.
Regards,
Christer
On Thu, May 24, 2018 at 1:19 AM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
Hi,
Below is my SDP directorate review of the SDP Identity attribute, defined in draft-ietf-rtcweb-security-arch-14.
Most of the comments have previously been given as individual comments by Paul K and myself. Some have also been addressed by Sean T, but I will include them for completeness.
---
Q0 (Scope):
As the SDP attribute definition should be able to stand on its own legs, there should be a description/reference to the IdP solution that it is used for.
Also, if the usage of the attribute is scoped to devices implementing the WebRTC specification, that should be indicated.
---
Q1 (Structure):
The document lacks the offer/answer procedure structure used for SDP attributes.
X.1 Generating the Initial Offer
X.2 Generating the Answer
X.3 Offerer Processing of the Answer
X.4 Modifying the Session
Based on discussion in MMUSIC, it is also good to clarify that “initial offer” refers to the offer where the extension is first introduced.
The O/A procedures also need to cover the case when an offer/answer from a peer does not include an Identity attribute.
---
Q2 (Missing information):
The mux category is missing.
---
Q3 (Grammar):
The current ABNF says:
identity-attribute = "identity:" identity-assertion
[ SP identity-extension
*(";" [ SP ] identity-extension) ]
This mixes the usage of space and semicolon for separating identity assertions. Please use one:
identity-attribute = "identity:" identity-assertion
*( SP identity-extension )
…or:
identity-attribute = "identity:" identity-assertion
*(";" identity-extension)
---
Q4 (Attribute definition):
Historically there have been problems with the definitions of new SDP attributes. Especially, the manner of defining the syntax was inconsistent. RFC4566 gave insufficient guidance on how to do this. draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided more guidance on how to do this. Please do your definitions in that style. For instance:
5.6.4.2 a=identity Attribute
The identity attribute is session level only. It contains an
identity assertion, encoded as a base-64 string [RFC4648].
Attribute Name: identity
Attribute Value: identity-value
Usage Level: session
Charset Dependent: No
Mux Category: ???
The Augmented BNF syntax [2] for the attribute is:
identity-attribute = "identity:" identity-assertion
*( SP identity-extension )
[continue on with remainder of section.]
---
Q5:
The draft says that, at minimum, the fingerprint needs to be bound to the identity.
First, I assume this means that, for each assertion, the associated SDP fingerprint attribute must be included in the offer/answer. If so, please include text about that.
Second, it would be good to indicate that, in the SDP, there is no link between a given assertion and the associated fingerprint.
---
Q6:
Section 5.6.4.1 says:
"The "a=identity" attribute MUST include all
fingerprint values that are included in "a=fingerprint" lines."
It is unclear what “attribute MUST include all fingerprint values” means. I assume that the text should say something like:
"The "a=identity" attribute MUST include an assertion for each
a=fingerprint attribute value that are included in the SDP offer/answer.”
It should also be clarified that, if the attribute is used on media-level in an m- section, it contains the assertion for each fingerprint associated with that m- section.
---
Q7:
Section 5.6.4.2 says:
“The semantics of multiple identity attributes are undefined.”
First, I don’t see the difference in having a single attribute with multiple assertions, or multiple attributes with single assertions. Having said that, if we only want to allow one way, I would suggest to simply forbid multiple attributes.
Second, it needs to be clarified that the rule apply to a given m- section.
---
Q8:
In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it is currently only defined as a media-level attribute.
---
Regards,
Christer
- Re: [rtcweb] SDP directorate review of SDP Identi… Martin Thomson
- [rtcweb] SDP directorate review of SDP Identity a… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Ted Hardie
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg