Re: [rtcweb] How to determine TLS roles?
Eric Rescorla <ekr@rtfm.com> Mon, 10 February 2014 20:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 657741A0701 for <rtcweb@ietfa.amsl.com>; Mon, 10 Feb 2014 12:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvX8Te5Ddh3e for <rtcweb@ietfa.amsl.com>; Mon, 10 Feb 2014 12:42:32 -0800 (PST)
Received: from mail-ve0-f169.google.com (mail-ve0-f169.google.com [209.85.128.169]) by ietfa.amsl.com (Postfix) with ESMTP id 890CA1A0405 for <rtcweb@ietf.org>; Mon, 10 Feb 2014 12:42:32 -0800 (PST)
Received: by mail-ve0-f169.google.com with SMTP id oy12so5545151veb.0 for <rtcweb@ietf.org>; Mon, 10 Feb 2014 12:42:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=feojh5L5RmUVhPVcb0A+30Fnar7dDvsyqcMf5re/doA=; b=jG7123TRjvKmVLqg0Ok1+6hFAILFC2d3AQklZZeC25S7wtsVAP+ZwuYxPvh7Gr3D3x hUH+u3gMA5nx+4rpStYGFVT4QVFZuWNi89In3JULWcHGY9f/Hly5CHp/tOAMbiag/SmW fsVJCfs2BRK5roGGDrGMXzR8ZpTu7TqnAOjVcfnW98fHWPCbajyaY6fjAMx/DBp/IufI NebuHdOE5Dj5mBilUhX29s1EhTtqbQcozYONjF9QqmV9TFUtxDeqsxmq6VSiXhGw5RCV WSSVKfHu4zsQJ+VIkQE3laR30o+BqrLzpHVb0AAtZpV+34+NTrxHXTI/c5u+TxY79nIw msyw==
X-Gm-Message-State: ALoCoQkmETYBmX3m+uszwq5g8ZLS0egS/q7nnwxyrA+4O4rM9Wu5e0eCvAta6oUqehxmtBfOnLFd
X-Received: by 10.52.110.201 with SMTP id ic9mr21253435vdb.22.1392064952139; Mon, 10 Feb 2014 12:42:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.106.162 with HTTP; Mon, 10 Feb 2014 12:41:52 -0800 (PST)
X-Originating-IP: [2620:101:8003:300:c532:42b5:40ec:6bd9]
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1D167825@ESESSMB209.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B1D1672FC@ESESSMB209.ericsson.se> <9ADA7473-1F36-4D96-A875-D2DC0762E9C2@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1673C4@ESESSMB209.ericsson.se> <54B6400D-3753-4285-96DB-08EDB23BD03F@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1674E9@ESESSMB209.ericsson.se> <CABcZeBOyQeLSwYjKt7hNqn0WViHYhvLmsGecmwCWyGNgUdgSnA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D167825@ESESSMB209.ericsson.se>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 10 Feb 2014 12:41:52 -0800
Message-ID: <CABcZeBM520F4BAuWkRrdFvUD7yha1CR8xMo74fnf=pQwSvj32g@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="bcaec547c741fa1d3704f2136056"
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] How to determine TLS roles?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 20:42:35 -0000
On Mon, Feb 10, 2014 at 8:37 AM, Christer Holmberg < christer.holmberg@ericsson.com> wrote: > > Hi, > > >This is defined in RFC 5763 S 5: > >http://tools.ietf.org/html/rfc5763#section-5 > > > >Which points to: > >http://tools.ietf.org/html/rfc4145 > > Ok. So, a few questions to for clarification: > > Q1: This means that the JS App must set the setup attrbute value before > passing an SDP to the browser? > No. The browser does it. Q2: If SDP O/A is not used on the wire, there needs to be another mechanism > for the peers to negotiate/indicate who is "active" and who is "passive"? > I don't see how this is our problem. > Q3: If you have mulitple m- lines, all using the same DTLS association, > the setup attribute value must be identical in all m- lines? > You mean because they are bundled? This should follow the same rules we generally use for things that are bundled. > Q4: The data channel (DTLS/SCTP) will have the same rule (e.g. using the > setup attribute value) as DTLS/SRTP for determining the TLS role? > I would think so. -Ekr Regards, > > Christer > > > > > > > > On Mon, Feb 10, 2014 at 6:23 AM, Christer Holmberg < > christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> > wrote: > Hi, > > >>>> If I understand correctly, in RTCWEB we are going to use a single > DTLS association for two things: > >>>> > >>>> 1) Key exchange for SRTP > >>>> 2) The data channel > >>>> > >>>> Now, this means that there needs to be a generic way to determine the > TLS roles. > >>>> > >>>> In WEBRTC, how are the TLS roles determined? > >>> > >>> That was the subject of a rant of mine. > >>> > >>> I think the correct answer is that the party that ends up being > IceControlling then becomes the DTLS client. Typically the initiator of a > session is IceControlling. > >>> > >>> However the recent addition of > >>>> a=setup:passive > >>> to chrome's SDP clouds the story somewhat, allowing an IceController > to say that it is DTLS passive and allow the non-initiator to be the DTLS > client. > >>> > >>> Ostensibly this is to support early media - where the receiver of a > call wishes to send media before the initiator does. > >>> > >>> As I said (rather intemperately) this added complexity is not worth > the benefit. > >> > >> I think that it should be possible for a JS App to explicitly set the > roles. > >> > >> Because, when SDP O/A is used on the wire, there are specified rules on > how the roles are determined. But, some other on-the-wire protocol may have > different rules. > >> > > There are many things that the JS app will need to do if we aren't bound > by SDP O/A - but I agreed not to talk about that - until after 1.0 gets out > :-) > > Fair enough, but for 1.0 we still need to know how the roles are > determined :) > > The security-arch document does say that a DTLS handshake is performed on > each channel that has been established by ICE, but I don't find anything > regarding the roles. > > Regards, > > Christer > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org<mailto:rtcweb@ietf.org> > https://www.ietf.org/mailman/listinfo/rtcweb > >
- [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Eric Rescorla
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Eric Rescorla
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Eric Rescorla
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Eric Rescorla
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Tim Panton
- Re: [rtcweb] How to determine TLS roles? Christer Holmberg
- Re: [rtcweb] How to determine TLS roles? Parthasarathi R