[rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 24 May 2018 08:19 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A3F12D96A for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 01:19:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4-bdU0JMbI0 for <rtcweb@ietfa.amsl.com>; Thu, 24 May 2018 01:19:53 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87A7312D964 for <rtcweb@ietf.org>; Thu, 24 May 2018 01:19:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1527149990; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=G9FWhdw6Kqo8LoGPSZvN07CdCB9lrYfZC9FhJCexles=; b=O2exwLTo/gCtJdsz70Ni3w+eMiM3Txdcp3F5if0KZsMwcn/nAVo8w2sdNObYUcbu B7CjurbLhT0FXbefTXUvOcSfjPdl8JagyGyy2SHyeTso3WOjuS8ZvbAq3Y9FZUcw AFTsE6yar5DqiUTxRpkyDB2dnH+V/Y1SdHhD8hAoZKA=;
X-AuditID: c1b4fb30-549ff700000065fb-c3-5b0675a678bb
Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.183.27]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 90.A0.26107.6A5760B5; Thu, 24 May 2018 10:19:50 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.29]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.03.0382.000; Thu, 24 May 2018 10:19:50 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: RTCWeb IETF <rtcweb@ietf.org>, "sdp-directorate-private@ietf.org" <sdp-directorate-private@ietf.org>
CC: "rtcweb-chairs@ietf.org" <rtcweb-chairs@ietf.org>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, "adam@nostrum.com" <adam@nostrum.com>, Ben Campbell <ben@nostrum.com>
Thread-Topic: SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
Thread-Index: AdPzN1wT5XjwzlheSrOwvOSQwMHuDg==
Date: Thu, 24 May 2018 08:19:49 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B72F048B9@ESESSMB109.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.169]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B72F048B9ESESSMB109erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUyM2K7tO6yUrZog40N2hZ7/i5it5jfeZrd 4vzO9UwWPW9vsFis/dfObvH00Q4WBzaPJUt+MnnM2vmEJYApissmJTUnsyy1SN8ugSvjw6PP jAVvFjJWrF3cwNrA2NvD2MXIySEhYCJxbPtKti5GLg4hgSOMEq1zl0M5ixklfi3qAXI4ONgE LCS6/2mDNIgIZElM/76EHaSGWWAzo8TOnq3sIAlhgQSJNxN2s0MUpUrs376AEcLWk/j0/Ak7 yBwWAVWJlb3MIGFeAV+Jc7u+sIDYjAJiEt9PrWECsZkFxCVuPZnPBHGcgMSSPeeZIWxRiZeP /7FC2EoSJ7s3s0DU50s0v77PCjFTUOLkzCcsExiFZiEZNQtJ2SwkZRBxHYkFuz+xQdjaEssW vmaGsc8ceMyELL6AkX0Vo2hxanFSbrqRkV5qUWZycXF+nl5easkmRmBMHdzy22AH48vnjocY BTgYlXh4TxWzRQuxJpYVV+YeYpTgYFYS4V2QBBTiTUmsrEotyo8vKs1JLT7EKM3BoiTOa+G3 OUpIID2xJDU7NbUgtQgmy8TBKdXAGDK56OjDt8Vawdye789kvzl8027b1pnHfon3vXSuP6ES curZjJadGfM89h3bHpBRsjbxXVKpmL/FxEdlD5h8txrXdy6s7N2dkCYxKXYye9cczaas/mpJ 5/L1pxfNdrN3DlORMKna03rh1Xfuy8Zv107f+Tv5xZ6Je3Js5Jd/SklM0XTS+9rQrMRSnJFo qMVcVJwIAPxyukWlAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/vQr1D-_l6TLrigH2DuIufp0gWaE>
Subject: [rtcweb] SDP directorate review of SDP Identity attribute (draft-ietf-rtcweb-security-arch-14)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 08:19:55 -0000
Hi,
Below is my SDP directorate review of the SDP Identity attribute, defined in draft-ietf-rtcweb-security-arch-14.
Most of the comments have previously been given as individual comments by Paul K and myself. Some have also been addressed by Sean T, but I will include them for completeness.
---
Q0 (Scope):
As the SDP attribute definition should be able to stand on its own legs, there should be a description/reference to the IdP solution that it is used for.
Also, if the usage of the attribute is scoped to devices implementing the WebRTC specification, that should be indicated.
---
Q1 (Structure):
The document lacks the offer/answer procedure structure used for SDP attributes.
X.1 Generating the Initial Offer
X.2 Generating the Answer
X.3 Offerer Processing of the Answer
X.4 Modifying the Session
Based on discussion in MMUSIC, it is also good to clarify that "initial offer" refers to the offer where the extension is first introduced.
The O/A procedures also need to cover the case when an offer/answer from a peer does not include an Identity attribute.
---
Q2 (Missing information):
The mux category is missing.
---
Q3 (Grammar):
The current ABNF says:
identity-attribute = "identity:" identity-assertion
[ SP identity-extension
*(";" [ SP ] identity-extension) ]
This mixes the usage of space and semicolon for separating identity assertions. Please use one:
identity-attribute = "identity:" identity-assertion
*( SP identity-extension )
...or:
identity-attribute = "identity:" identity-assertion
*(";" identity-extension)
---
Q4 (Attribute definition):
Historically there have been problems with the definitions of new SDP attributes. Especially, the manner of defining the syntax was inconsistent. RFC4566 gave insufficient guidance on how to do this. draft-ietf-mmusic-rfc4566bis (especially section 8.2.4.1) has provided more guidance on how to do this. Please do your definitions in that style. For instance:
5.6.4.2 a=identity Attribute
The identity attribute is session level only. It contains an
identity assertion, encoded as a base-64 string [RFC4648].
Attribute Name: identity
Attribute Value: identity-value
Usage Level: session
Charset Dependent: No
Mux Category: ???
The Augmented BNF syntax [2] for the attribute is:
identity-attribute = "identity:" identity-assertion
*( SP identity-extension )
[continue on with remainder of section.]
---
Q5:
The draft says that, at minimum, the fingerprint needs to be bound to the identity.
First, I assume this means that, for each assertion, the associated SDP fingerprint attribute must be included in the offer/answer. If so, please include text about that.
Second, it would be good to indicate that, in the SDP, there is no link between a given assertion and the associated fingerprint.
---
Q6:
Section 5.6.4.1 says:
"The "a=identity" attribute MUST include all
fingerprint values that are included in "a=fingerprint" lines."
It is unclear what "attribute MUST include all fingerprint values" means. I assume that the text should say something like:
"The "a=identity" attribute MUST include an assertion for each
a=fingerprint attribute value that are included in the SDP offer/answer."
It should also be clarified that, if the attribute is used on media-level in an m- section, it contains the assertion for each fingerprint associated with that m- section.
---
Q7:
Section 5.6.4.2 says:
"The semantics of multiple identity attributes are undefined."
First, I don't see the difference in having a single attribute with multiple assertions, or multiple attributes with single assertions. Having said that, if we only want to allow one way, I would suggest to simply forbid multiple attributes.
Second, it needs to be clarified that the rule apply to a given m- section.
---
Q8:
In the example in Section 5.6.4.1 the SDP fingerprint attribute is included as a session-level attribute. However, it is currently only defined as a media-level attribute.
---
Regards,
Christer
- Re: [rtcweb] SDP directorate review of SDP Identi… Martin Thomson
- [rtcweb] SDP directorate review of SDP Identity a… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Ted Hardie
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg
- Re: [rtcweb] SDP directorate review of SDP Identi… Christer Holmberg