[stir] [Technical Errata Reported] RFC8224 (5390)

RFC Errata System <rfc-editor@rfc-editor.org> Thu, 14 June 2018 19:52 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3D9130E88 for <stir@ietfa.amsl.com>; Thu, 14 Jun 2018 12:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vncIqJNiLcc4 for <stir@ietfa.amsl.com>; Thu, 14 Jun 2018 12:52:48 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4690130E70 for <stir@ietf.org>; Thu, 14 Jun 2018 12:52:48 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 33427B80638; Thu, 14 Jun 2018 12:52:46 -0700 (PDT)
To: jon.peterson@neustar.biz, fluffy@cisco.com, ekr@rtfm.com, chris-ietf@chriswendt.net, ben@nostrum.com, aamelnikov@fastmail.fm, adam@nostrum.com, rjsparks@nostrum.com, housley@vigilsec.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: tasveren@rbbn.com, stir@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20180614195246.33427B80638@rfc-editor.org>
Date: Thu, 14 Jun 2018 12:52:46 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/EGjMq6RySxGxHA2mZpgkzCHA0Ug>
X-Mailman-Approved-At: Thu, 14 Jun 2018 13:03:39 -0700
Subject: [stir] [Technical Errata Reported] RFC8224 (5390)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 19:52:51 -0000

The following errata report has been submitted for RFC8224,
"Authenticated Identity Management in the Session Initiation Protocol (SIP)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5390

--------------------------------------
Type: Technical
Reported by: Invalid restriction on when to add "mky" <tasveren@rbbn.com>;

Section: 12.1

Original Text
-------------
When signing a request that contains a fingerprint of keying material
in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a
signature over that fingerprint. 


Corrected Text
--------------
When signing a request that contains a fingerprint
of keying material in SDP, this mechanism always 
provides a signature over that fingerprint. 


Notes
-----
Attack vector described in 12.1 to justify addition of "mky" is applicable for scenarios, where a fingerprint in SDP is used for reasons other than DTLS-STRP as well. 
Use of fingerprint for MSRP per RFCRFC4975 is an example of this.

>From RFC4975:

14.4.  Using TLS in Peer-to-Peer Mode

   TLS can be used with a self-signed certificate as long as there is a
   mechanism for both sides to ascertain that the other side used the
   correct certificate.  When used with SDP and SIP, the correct
   certificate can be verified by passing a fingerprint of the
   certificate in the SDP and ensuring that the SDP has suitable
   integrity protection.  When SIP is used to transport the SDP, the
   integrity can be provided by the SIP Identity mechanism [17].  The
   rest of this section describes the details of this approach.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC8224 (draft-ietf-stir-rfc4474bis-16)
--------------------------------------
Title               : Authenticated Identity Management in the Session Initiation Protocol (SIP)
Publication Date    : February 2018
Author(s)           : J. Peterson, C. Jennings, E. Rescorla, C. Wendt
Category            : PROPOSED STANDARD
Source              : Secure Telephone Identity Revisited
Area                : Applications and Real-Time
Stream              : IETF
Verifying Party     : IESG