IETF Logo Mail Archive

Re: [rtcweb] Identity assertion: impact by removal or adding of fingerprints?

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 15 August 2018 07:10 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A171E130ECF for <rtcweb@ietfa.amsl.com>; Wed, 15 Aug 2018 00:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUskpkry-Lfn for <rtcweb@ietfa.amsl.com>; Wed, 15 Aug 2018 00:10:43 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43281126DBF for <rtcweb@ietf.org>; Wed, 15 Aug 2018 00:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1534317026; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qd4HpyifAEfHXSLWR1pxHv5n4f4ytsxlCCAc8nmBLSo=; b=ce1FlraSCbsoAQdVendc2nhknN7I/kSFxK+swllIhlN0Rx7AVrQyiYieF/tqqJnU /2VgJbyGGi9pYEr4CKxz0BVw3tytQfox2MsRzQXmeAWgoyGR/T3q7KGPeta4v96Z KMUGqfm2KJvk5BwzZ05/YYgbVXpKtn3iB1El3ws7FzQ=;
X-AuditID: c1b4fb3a-499ff7000000145f-d4-5b73d1e25a7d
Received: from ESESBMB501.ericsson.se (Unknown_Domain [153.88.183.114]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 0B.BC.05215.2E1D37B5; Wed, 15 Aug 2018 09:10:26 +0200 (CEST)
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 15 Aug 2018 09:10:25 +0200
Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Wed, 15 Aug 2018 09:10:25 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Martin Thomson <martin.thomson@gmail.com>
CC: RTCWeb IETF <rtcweb@ietf.org>
Thread-Topic: [rtcweb] Identity assertion: impact by removal or adding of fingerprints?
Thread-Index: AQHUMs8M0o/pIRhEEUmmaI1RsjVoi6S9GHaAgABB7ACAAxRWAP//0pUAgAA6GYA=
Date: Wed, 15 Aug 2018 07:10:25 +0000
Message-ID: <D799ADC2.3472C%christer.holmberg@ericsson.com>
References: <D79701DE.34018%christer.holmberg@ericsson.com> <CABkgnnXqgSLdGCFj914rMhpzW69knObdrwQ__=uMoPxOx35cqg@mail.gmail.com> <D7970CF2.34082%christer.holmberg@ericsson.com> <D799A325.34645%christer.holmberg@ericsson.com> <CABkgnnWmb6LCYs6_OftVx0cUbMykTuPrfDhbQSReTw5U0NqDPg@mail.gmail.com>
In-Reply-To: <CABkgnnWmb6LCYs6_OftVx0cUbMykTuPrfDhbQSReTw5U0NqDPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [153.88.183.157]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <9AC77BC43351844D9A3726C5C2304344@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHIsWRmVeSWpSXmKPExsUyM2J7ke6ji8XRBi92i1pcO/OP0WLtv3Z2 ByaPnbPusnssWfKTKYApissmJTUnsyy1SN8ugSvjwt01jAUr5Ct6FjawNzAekOti5OSQEDCR uDSjhbWLkYtDSOAoo8Sb/p8sEM43Rokzj9qhnGWMEt9OfQEq4+BgE7CQ6P6nDdItIqArsejs A3YQm1lAUeLL8vlsILawQITEjJP/WCBqIiXuz37JBmH7Sbz/cZoJxGYRUJWY8vAoWC+vgLXE zcZWqF1rmSSevv0JluAUCJR40/GHGcRmFBCT+H5qDRPEMnGJW0/mM0G8ICCxZM95ZghbVOLl 43+sILaogJ7EhhO32SHiShJberdA9WpJfPmxjw3Ctpb4u/IbK8wDU7ofQh0kKHFy5hOWCYwS s5Csm4WkfRaS9llI2mchaV/AyLqKUbQ4tbg4N93ISC+1KDO5uDg/Ty8vtWQTIzAWD275bbWD 8eBzx0OMAhyMSjy8XOeLo4VYE8uKK3MPMUpwMCuJ8C7LBwrxpiRWVqUW5ccXleakFh9ilOZg URLndUqziBISSE8sSc1OTS1ILYLJMnFwSjUwBneyXvt0wu1H+4Z77bM2SfHP5JG8vTx//fwj 2Q0RyS2q4sld+ncXXHx7Z8b7504P3l0ocOfrWGGikHTQjG+b5/2K+m8XO8sSq23PZ/x05RQV Le+sXuzL9+X30oWro9wjhbYannmyY/cCjupH4r11z3as2r7o6NWHR66ev1ix9o/11+TOn6u2 TFRiKc5INNRiLipOBAB/qI5cwQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/tm-Pe5r0MfIkwereCmq8lwlVUr8>
Subject: Re: [rtcweb] Identity assertion: impact by removal or adding of fingerprints?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 07:10:46 -0000

Hi,

>The assertion can change, it's the identity that results that can't
>change (in WebRTC, and likely many other cases).

Ok. My understanding was that in WebRTC the PC cannot communicate with the
IdP in order to create a new assertion (e.g., when a new fingerprint has
been added), even with the same identity, but I’m glad if I was wrong :)

Regards,

Christer





>On Wed, Aug 15, 2018 at 4:25 PM Christer Holmberg
><christer.holmberg@ericsson.com> wrote:
>>
>>
>> Hi,
>>
>> One possibility would be to say that an endpoint is not allowed to add a
>> new fingerprint (that hasn¹t been used before within the session), if
>> updating of the identity assertion is not supported.
>>
>> Is it possible to use the same fingerprint for multiple m- lines, even
>>if
>> they are not bundled?
>>
>> Regards,
>>
>> Christer
>>
>>
>>
>> On 13/08/18 10:23, "rtcweb on behalf of Christer Holmberg"
>> <rtcweb-bounces@ietf.org on behalf of christer.holmberg@ericsson.com>
>> wrote:
>>
>> >
>> >Hi,
>> >
>> >>Unused fingerprints aren't a problem.  a=fingerprint offers multiple
>> >>options, any of which could be used.  The a=identity attribute is no
>> >>different.  If a fingerprint is authenticated, but not used, that's OK
>> >>as long as the ones that are used are covered.
>> >
>> >That may require a little re-wording, because I think the text now says
>> >that each fingerprint that was used to create the assertion must
>>always be
>> >included in offers and answers.
>> >
>> >>If a new fingerprint is added, that's OK, as long as the a=identity
>> >>previously covered that value,
>> >
>> >That may not be true if one e.g., adds a new m- section with a
>>fingerprint
>> >that has not previously been used.
>> >
>> >>or is amended to include the new value.
>> >
>> >How does that work?
>> >
>> >Regards,
>> >
>> >Christer
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >>On Mon, Aug 13, 2018 at 4:30 PM Christer Holmberg
>> >><christer.holmberg@ericsson.com> wrote:
>> >>>
>> >>>
>> >>> Hi,
>> >>>
>> >>> One thing that came to my mind when working on the SDP Identity
>> >>>attribute pull request.
>> >>>
>> >>> In WebRTC, and in the draft, we assume that the identity assertion
>>is
>> >>>bound to the fingerprints.
>> >>>
>> >>> What if fingerprints are removed, or added, during a session. Will
>>that
>> >>>impact the identity assertion?
>> >>>
>> >>> A fingerprint can be removed if it is only used for one m- section,
>>and
>> >>>that m- section is disabled.
>> >>>
>> >>> Regards,
>> >>>
>> >>> Christer
>> >>> _______________________________________________
>> >>> rtcweb mailing list
>> >>> rtcweb@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/rtcweb
>> >
>> >_______________________________________________
>> >rtcweb mailing list
>> >rtcweb@ietf.org
>> >https://www.ietf.org/mailman/listinfo/rtcweb
>>

v2.23.0 | Report a Bug | By Email