IETF Logo Mail Archive

Re: [Wish] WG Last Call for draft-ietf-wish-whip

Adam Roach <adam@nostrum.com> Mon, 11 July 2022 22:40 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 409A7C157B3F for <wish@ietfa.amsl.com>; Mon, 11 Jul 2022 15:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6l6jC21mdlso for <wish@ietfa.amsl.com>; Mon, 11 Jul 2022 15:40:09 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C49E3C14F73A for <wish@ietf.org>; Mon, 11 Jul 2022 15:40:09 -0700 (PDT)
Received: from [172.17.121.48] (76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253]) (authenticated bits=0) by nostrum.com (8.17.1/8.17.1) with ESMTPSA id 26BMe7Nq088126 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 11 Jul 2022 17:40:08 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1657579209; bh=Idpvm2BD2MQcP7ijGG9pd2rIb1+3U6lje/y5Kr3eiE0=; h=Subject:To:References:From:Date:In-Reply-To; b=bqoZ4l38TM4XaXhcsUqkUsX9c3v2sRrTvukcoR8q1FugEth/iqknX/DD8TcJVmrSr oqZCll3703z1BITwI+YAWPkiSXWniz9+gfu2f6nPgJ2IfNEfTzn+nSNQ9ure8rd1FV WIO6aNHqJGx7+t6E5crdyDFCXRvVMFLaUJvndscA=
X-Authentication-Warning: raven.nostrum.com: Host 76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253] claimed to be [172.17.121.48]
To: Sean Turner <sean@sn3rd.com>, WISH List <wish@ietf.org>
References: <3F10BA6F-FF16-4D76-BD48-375ABCDF76A4@sn3rd.com> <F8F7BE43-FA48-4954-9099-500341BFA4E0@sn3rd.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <81022e90-1e3e-ee0a-97ed-18179958754a@nostrum.com>
Date: Mon, 11 Jul 2022 17:40:03 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <F8F7BE43-FA48-4954-9099-500341BFA4E0@sn3rd.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/29Qe8y8fV9-uns8TOUbHc_rhAiM>
Subject: Re: [Wish] WG Last Call for draft-ietf-wish-whip
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 22:40:14 -0000

On 6/29/2022 9:31 AM, Sean Turner wrote:
> Hi! We are going to extend the WG last call period by two weeks because of the low number of reviews. Please note that you can also say that you are fine with the I-D progressing.


I think the document is nearly ready for the IESG to consider, once we 
have dispositions for the items that Julisz and Christer have raised (to 
be clear, I don't necessarily think we need changes for all of their 
raised points; just that we need to drive each one to conclusion).

I have submitted a PR with suggested editorial changes at 
<https://github.com/wish-wg/webrtc-http-ingest-protocol/pull/65>.

Aside from those editorial suggestions and a select few of the 
outstanding comments, the only concern I have is the length of the 
"Security Considerations" section: I guarantee that this document will 
not progress through IESG review without additional text. I think we 
need to address items such as:

* Sensitivity of authentication information, including how long 
authentication tokens should remain valid

* A brief discussion of the properties of media keys (e.g., the use of 
DTLS-SRTP means that media keying information is not visible to any HTTP 
intermediaries, such as TLS processors in CDNs)

* A discussion of potential resource exhaustion attacks if 
unauthenticated requests are allowed, along with mitigation suggestions

* The importance of servers requiring proper consent freshness 
processing to avoid certain classes of DDoS attacks

* Servers potentially limiting the number of simultaneous streams that 
can be sent with the same token, to prevent (e.g.) a user's 
authentication token being distributed widely and used in a DDoS attack 
that passes consent checks


/a

v2.23.0 | Report a Bug | By Email