[tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-15: (with DISCUSS and COMMENT)

["Stephen Farrell" <stephen.farrell@cs.tcd.ie>]

Stephen Farrell has entered the following ballot position for
draft-ietf-tram-turn-third-party-authz-15: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------


Edited discuss ballot after chats around Dallas.

(1)  cleared

(2) Please consider whether a signature based 
scheme that does not require pre-shared keys between
the TURN and (in particular) WebRTC server could
be useful to support. (Either in this document or 
elsewhere.) There should be use cases where that
offers sufficient accountability for use of TURN and
it ought allow some deployments that are less easy
with this kind of pre-shared keys approach. The 
DISCUSS here is to check if the WG want to take
that approach, either now or later. (I've sent a 
mail to the WG list, this will clear shortly once
that is discussed.)

(3)  cleared (but see now comments below this is
still badly done IMO)


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


NEW COMMENTS: 

- As some others have said before, this is still not an easy
read and though better, could still do with more editorial
work.

- Why are 4.1.1 and 4.1.2 still just examples. You need one
to be MTI or you won't get interop. Indeed 4.1.2 says you
SHOULD do 4.1.1! Please just bite the bullet and clearly say
that 4.1.1 is MTI.

- 4.1.1, "HTTPS MUST be used for mutual authentication" is
not a very clear way to say it. You mean that HTTPS MUST be
used and that TLS with mutual authentication based on client
certificates MUST be used. How does the WebRTC server know
what CA the TURN server is going to use? That's another point
of pre-arrangement that will be needed.

- 4.1.1, I thought the web folks frowned upon specifying URI
parameters like that. Shouldn't you at least use a
.well-known URL or something so as to not get on someone
eles's lawn?

- 6.2, PATH_MTU is not the correct term. There are 
two paths involved, from WebRTC to browser and from
browser to TURN server and MTUs need not be the same
on those paths.

OLD COMMENTS BELOW HERE, I DIDN'T CHECK
THOSE.

- I really think this would benefit from some wider review
and I don't think it's ready as-is.

- I agree with Richard's discuss points.

- intro: "impossible in web applications" isn't really
true in principle, but impossible in WebRTC as it uses JS
is true. 

- Assuming the AS that can authorize the user shares a
secret with the STUN server chosen by the WebRTC server
seems very brittle. Why would that be true in general?

- 4.1.1: Hmmm. How many people use KeyProv I wonder?

- 4.1.2 - which "two servers"? WebRTC can have more
servers than that.

- 4.1.2 - now we're using TLS mutual auth? And how does
the TLS client know which CA to use that'll work with the
TLS server here? I don't think that'll scale will it?

- 4.1.3 - this looks like what the WG/authors really want,
would that be a fair statement?

- 9: Figure 2 should be way up at the top of the document
and not here

- 9: Why 5 seconds?