IETF Logo Mail Archive

Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 13 May 2015 10:42 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4742B1B2B37; Wed, 13 May 2015 03:42:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmlXHlfHesZW; Wed, 13 May 2015 03:42:53 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3EF51B2B3B; Wed, 13 May 2015 03:42:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CBE23BEBF; Wed, 13 May 2015 11:42:50 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wp8p3MZ-Isrt; Wed, 13 May 2015 11:42:50 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A2642BE55; Wed, 13 May 2015 11:42:50 +0100 (IST)
Message-ID: <55532AAA.1040407@cs.tcd.ie>
Date: Wed, 13 May 2015 11:42:50 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Simon Perreault <sperreault@jive.com>, Alissa Cooper <alissa@cooperw.in>, Oleg Moskalenko <mom040267@gmail.com>
References: <20150511233012.17046.42319.idtracker@ietfa.amsl.com> <CALDtMr+x2Mi8v0jwFUscryccjc7Zf0o-mPo64S2dpHPqnnoXUA@mail.gmail.com> <A14F5400-21EB-4EE0-B988-CDA929EAE5A2@cooperw.in> <555153F0.4050204@cs.tcd.ie> <55522411.10104@jive.com> <55522D57.8090009@cs.tcd.ie> <5552318F.6050508@jive.com>
In-Reply-To: <5552318F.6050508@jive.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/6rQdC0yRSEHFf1g3gpAZcz2qevI>
Cc: tram-chairs@ietf.org, "tram@ietf.org" <tram@ietf.org>, draft-ietf-tram-stun-origin.shepherd@ietf.org, draft-ietf-tram-stun-origin.ad@ietf.org, IESG <iesg@ietf.org>, draft-ietf-tram-stun-origin@ietf.org
Subject: Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 10:42:56 -0000


On 12/05/15 17:59, Simon Perreault wrote:
> Le 2015-05-12 12:41, Stephen Farrell a écrit :
>>> In the case where a single entity controls the authentication databases
>>> for all tenants of a single server, you're right. However, that
>>> condition does not hold in general. That is, we really do need to
>>> properly handle username collisions across realms.
>>
>> Sorry, I'm really not getting that. It is not a name for
>> a person, at least in WebRTC, right? It is some name
>> agreed between the WebRTC JS code and the TURN server. And
>> I'd hope it ought change frequently if it matters at all
>> or else it'll be scraped from the JS (or debug tooling).
> 
> What you say is true for WebRTC. A REST API for obtaining ephemeral
> usernames was even proposed:
> https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
> 
> For SIP, however, usernames are not ephemeral, are not easily changed,
> and, depending on what client provisioning allows, are often constrained
> to be identical to the SIP username, while the realm is often
> constrained to be identical to the SIP domain name. WebRTC front-ends to
> SIP infrastructure could also have the same constraints.

Hmm. Wouldn't addressing that issue (same protocol field is
sometimes based on human memorable secrets and sometimes
now) have been a fine thing for the tram wg to have done. Is
that being addressed by the WG, other than via the oauth
approach?

S.

> 
>>> I'd appreciate if we could recognize that there is a problem with
>>> current practice, 
>>
>> I believe I did that already.
> 
> Sorry, I understood your last email as suggesting that username hacks
> made ORIGIN unnecessary.
> 
>>> 1) Are those concerns identical or different from those applying to,
>>> e.g., the Host HTTP header, or the SNI TLS extension? If they're
>>> different, how are they different?
>>
>> They may or may not be different but doing something better also
>> may or may not be more tractable. And the world has changed since
>> e.g. SNI was defined. (There is also desire to hide SNI in the
>> TLS 1.3 handshake if possible. We don't know if it will be possible
>> or not but the desire is there and is real.)
> 
> I'm all for discussing something better, but at the moment I don't know
> what that could be... Maybe it is obvious to security folks, but it is
> not to me!
> 
>>> 2) Is there a proposal that could fix the privacy issue? So far I've
>>> seen IESG members pointing out the issue, authors acknowledging the
>>> issue, but no discussion of solutions.
>>
>> From my POV, that is the discussion we are having and that is not
>> yet done.
> 
> Ok, I'm happy to continue then! :)
> 
> Simon
>

v2.23.0 | Report a Bug | By Email