[secdir] SecDir review of draft-ietf-bfcpbis-sdp-ws-uri

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 04 January 2017 19:23 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DF3129A81 for <secdir@ietfa.amsl.com>; Wed, 4 Jan 2017 11:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0KQce1wntCT for <secdir@ietfa.amsl.com>; Wed, 4 Jan 2017 11:23:41 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D451299B3 for <secdir@ietf.org>; Wed, 4 Jan 2017 11:23:41 -0800 (PST)
Received: from [10.32.60.33] (50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v04JMqJw013156 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <secdir@ietf.org>; Wed, 4 Jan 2017 12:22:53 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163] claimed to be [10.32.60.33]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: secdir <secdir@ietf.org>
Date: Wed, 04 Jan 2017 11:23:38 -0800
Message-ID: <164C5B0F-1606-4D8D-BB34-1FF9F8DA7081@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.6r5319)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/WeLNcFkm6D-J46aPTaUxdOj3hSY>
Subject: [secdir] SecDir review of draft-ietf-bfcpbis-sdp-ws-uri
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 19:23:45 -0000

This document specifies extensions to SDP that can be used by 
application protocols (most likely SIP endpoints) that rely on WebSocket 
as a transport. For this, they need a URI that will appear in an SDP 
attribute.

The Security Considerations section of the document adequately covers 
the problems with creating this SDP attribute to carry the URI, namely 
that SDP can be run either with or without authentication in the message 
and transport. The security considerations say that the entities SHOULD 
use S/MIME and TLS for these; this common-sense suggestions apply to all 
use of SDP, and is no more important here than for other uses of SDP.

--Paul Hoffman