Re: [Wish] Publication has been requested for draft-ietf-wish-whip-08
Sean Turner <sean@sn3rd.com> Fri, 21 July 2023 16:41 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7D6C14CE3B for <wish@ietfa.amsl.com>; Fri, 21 Jul 2023 09:41:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrSNONsQQo_e for <wish@ietfa.amsl.com>; Fri, 21 Jul 2023 09:41:06 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02633C1522D3 for <wish@ietf.org>; Fri, 21 Jul 2023 09:41:05 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-4053cc10debso15739281cf.2 for <wish@ietf.org>; Fri, 21 Jul 2023 09:41:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1689957665; x=1690562465; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=idC8cabbPKoUiz9Fv6GqHLrYWt31iBjiZ7ijC0gcOS4=; b=H87lzmxXi+92TQMFDfcdZ4251Aa6wn2ecyd2MgF+ahwulwKif3o+Q2pSkRdO3bLWTQ 5BsHHLfn37Xpw8oVcxgiEFbkOVuRL1vhdApggzJtx+bj9Aypp+kQ3DBJ9MXYCihzN6+w gRUCvNXrquwdWB5twyBvA8EJx9TCZX5ms6tQ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689957665; x=1690562465; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=idC8cabbPKoUiz9Fv6GqHLrYWt31iBjiZ7ijC0gcOS4=; b=U9JSfT5aEC6b8w6QR4j7dZMZl73Vl/7MDpoVzu2YU+O6863IC8MNUH88Rya+rZIBLN Y3j/IxmFNTscQCIORpqZmbjAwXN82mVOBFiWbmOSD1IuUzppQsFhmTjt3hP0rKWT30Pf +v9JarnFNWKhXNrVHJX3IltW3kLkU3K8kaflJZidg1IPIcff39utP2PfaFBrCKYp4Zeq 0Qxp7GOtftZlcgYMIWIzjC9eoNvU9GysDvkTuxePgtPCZ/XygFMPogsnmk+8Hcf6UtjP Sg2v7N4uQ3B4LZX86IHb8JeHXWbgX/7xsGXhT7wrgq9cV+yjptdhwkqnqvBwUGejBRZa cBUw==
X-Gm-Message-State: ABy/qLZbadvpW+vT8RW0fSRP4fnoSZ22DIDoNi+KuyRQnrMQOcKNLdsp eO+zMmWNyS5u5TJITQ+Jl3386w==
X-Google-Smtp-Source: APBJJlHhJqsFs24IvqF1SP2wIQO0apL3yiG+A/t/+ukcVEJg3hQEli2Ulf9wCtsACsAdYNMyWOUzNg==
X-Received: by 2002:ac8:5a0a:0:b0:403:b1ef:6ac5 with SMTP id n10-20020ac85a0a000000b00403b1ef6ac5mr683578qta.56.1689957664678; Fri, 21 Jul 2023 09:41:04 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:253b:7300:acdb:c046:f743:8eae]) by smtp.gmail.com with ESMTPSA id cb19-20020a05622a1f9300b004016edea7dfsm1344347qtb.63.2023.07.21.09.41.03 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jul 2023 09:41:03 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CA+ag07adbHWpchi3W=pFxVv1xN5xkcNgkr2HVQYc3cEYP-3ExA@mail.gmail.com>
Date: Fri, 21 Jul 2023 12:41:03 -0400
Cc: WISH List <wish@ietf.org>, WISH Chairs <wish-chairs@ietf.org>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <63AEC8DC-88F9-4104-AD8A-3EAF5015B993@sn3rd.com>
References: <168254249812.28876.14989555994736804883@ietfa.amsl.com> <CAL0qLwZ=e=1g7q6An5yFR=yE=ZyMLJWUX=nmL5WqUiTjxSZEwA@mail.gmail.com> <CA+ag07bqrE3tQV0LWrZ9V6QZzG+oxzFe7YWriixfr+tzev69-w@mail.gmail.com> <CAL0qLwY=_EKOLqCGS9D5DpnHkpRsWcAWV-nHp19iVK-umJszEg@mail.gmail.com> <CA+ag07adbHWpchi3W=pFxVv1xN5xkcNgkr2HVQYc3cEYP-3ExA@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/alJJWfmg1uszLnx7jcvwik7pI48>
Subject: Re: [Wish] Publication has been requested for draft-ietf-wish-whip-08
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 16:41:10 -0000
Murray, Sergio’s got a fix for the outstanding issue and Barry (ARTART review) agreed: https://mailarchive.ietf.org/arch/msg/wish/KDfInrIEU9uSSow8Oi_Qvz4BFtw/ Should we ask Sergio to spin a -09 next week so we can get the IETF LC going? spt > On Jun 27, 2023, at 10:05, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote: > > Hi Murray. > > I have create issues with your feedback on the github tracker and generate changes for most of them: > > https://github.com/wish-wg/webrtc-http-ingest-protocol/issues?q=is%3Aissue+is%3Aclosed+label%3Aad-review > > On Thu, Jun 8, 2023 at 4:28 PM Murray S. Kucherawy <superuser@gmail.com> wrote: > Sorry I missed this earlier. > > On Thu, May 11, 2023 at 1:50 AM Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote: > > > * There are lots of SHOULDs that could benefit from some explanation of when one might not do what the SHOULD says (or do what the SHOULD NOT says). Since you're giving implementers a choice here, some advice about that choice would be good to include. Or maybe some of these SHOULDs really ought to be MUSTs? Same goes for RECOMMENDED. For instance in Section 4, you have "The SDP offer SHOULD use the "sendonly" attribute. Why? Or why would I not? What if I don't? > > In WHIP we are reusing the WebRTC/SDP/RTP specifications, and defining how those specs are used to establish a streaming session. As SDP O/A is a negotiation between the client and the server, there are some options that while there are not the correct ones according to our intended usage (like sending "sendonly" as direction on the SDP offer), they are not "illegal" in the WebRTC/SDP specs. For example, if you build a WHIP client on a browser, the default direction on the offer will be "sndrcv", and the server should be ready to accept it. The MUST is on the server side that has to answer with a "recvonly" direction always. So in this particular case, the direction sent by the client is a bit irrelevant, but the proper value semantically is "sendonly", that's why it is a SHOULD and not a MUST. > > OK, I think you might consider adding text to this effect. If you're going to make it a normative almost-requirement, it's good to explain to implementers why, and/or what happens if they don't. > > I have been reviewing the recommended language usage and added further clarifications on the reason of the recommendation on many of them: > > https://github.com/wish-wg/webrtc-http-ingest-protocol/commit/c499dbab5ad5ea651c65a818d7e303c314a4e048 > > > > * This is a pretty thin Security Considerations section. Is that really all there is? Shouldn't we at least say something like "As this protocol is built entirely atop SDP and (things), the security considerations of those protocols apply here as well."? It's pretty unusual to claim (expressly or by omission) that a new protocol has absolutely no security concerns. > > Definitely the section would require a rewrite, however the intent would be the same. We are "just" specifying the usage of well known protocols (webrtc, SDP, https,.. ) so we are not introducing any new attack surface that was not already covered in those. The only point that could be new to this protocol is explaining the security of the rest api calls with the bearer token, any suggestion on how this could be rewritten? > > I think the suggestion I made would suffice: At a minimum, be explicit that you're importing the security consideration of the layer below. Adding some text about the security issue you just identified would also be helpful. > > This was perfect timing as Sandro Gauci made a presentation about the WHIP surface attack and security concerns during the last CommCon UK conference last week. > > I have added his feedback to the security section and also added more details of the imported security considerations from the lower layers: > > https://github.com/wish-wg/webrtc-http-ingest-protocol/commit/6196413f6d12798c9ee6557ce3a2dcfa0ebef16a#diff-6ca9ae63875a605dbaf6d8e45c08b5945951d62135ae0661065b7fe9ebb04d84R405 > > > > > > * Sections 6.3 and 6.4 confuse me, though this is possibly just my inexperience with URN namespaces talking. It looks like you're creating a registry for IANA to manage, but doing it completely outside of the pattern RFC 8126 describes. Given the reference to RFC 3553, I'm guessing this is somewhat normal, though I wonder why RFC 2434 wasn't used. Is that all correct? > > I don't have much knowledge about the urn ietf namespace, but the ones on the RFC 2434 don't seem appropriate to me and the only one that seems to be active at IANA are the "urn:ietf:params:" namespaces specified in rfc3553: > https://www.iana.org/assignments/params/params.xhtml#urn-subnamespaces > > I used the SCIM registry as an example when writing the WHIP registry , but it is also used by the rtp header extension registry. Is there anyone that we could ask to confirm if this is ok? > > Let me ask a couple of people and get back to you. > > > This is the only pending topic from your review, I will comment on the email from Barry. > > Best regards > Sergio
- [Wish] Publication has been requested for draft-i… Nils Ohlmeier via Datatracker
- Re: [Wish] Publication has been requested for dra… Murray S. Kucherawy
- Re: [Wish] Publication has been requested for dra… Sergio Garcia Murillo
- Re: [Wish] Publication has been requested for dra… Sergio Garcia Murillo
- Re: [Wish] Publication has been requested for dra… Murray S. Kucherawy
- Re: [Wish] Publication has been requested for dra… Sergio Garcia Murillo
- Re: [Wish] Publication has been requested for dra… Sean Turner