[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Simple] ACM and comedia [was RE: MSRP-ACM compatibility]

To: "Ben Campbell" <ben at nostrum.com>
Subject: [Simple] ACM and comedia [was RE: MSRP-ACM compatibility]
From: "Christer Holmberg" <christer.holmberg at ericsson.com>
Date: Tue, 19 May 2009 10:41:19 +0200
Cc: Simple WG <simple at ietf.org>
Delivered-to: simple at core3.amsl.com
In-reply-to: <5BBE0395-8FF3-4D1D-B360-467979A811E1 at nostrum.com>
List-archive: <http://www.ietf.org/mail-archive/web/simple>
List-help: <mailto:simple-request@ietf.org?subject=help>
List-id: SIP for Instant Messaging and Presence Leveraging Extensions <simple.ietf.org>
List-post: <mailto:simple@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=unsubscribe>
References: <66cd252f0903311557k14448ac8m62a6ca46e86e2fd4 at mail.gmail.com><66cd252f0904281601q18402163p1e715d709b92f22b at mail.gmail.com> <CA9998CD4A020D418654FCDEF4E707DF0CADF73A at esealmw113.eemea.ericsson.se> <CA9998CD4A020D418654FCDEF4E707DF0B16820A at esealmw113.eemea.ericsson.se> <F348DC0C-FD01-473A-BB7E-4C2FDFECF529 at nostrum.com> <CA9998CD4A020D418654FCDEF4E707DF0CB0FDA7 at esealmw113.eemea.ericsson.se> <49503123-011D-4825-8B2B-7F11A86C550A at nostrum.com> <949A60EB-D082-4DED-AE6C-0FFC515574BC at nostrum.com> <CA9998CD4A020D418654FCDEF4E707DF0B16820C at esealmw113.eemea.ericsson.se> <70DC2003-9C4D-46A7-A06C-07F296DAB000 at nostrum.com> <CA9998CD4A020D418654FCDEF4E707DF0D0011A2 at esealmw113.eemea.ericsson.se> <5BBE0395-8FF3-4D1D-B360-467979A811E1 at nostrum.com>
Thread-index: AcnYBLkZQah8vU2bQQC/5Bie64mPVAAU66Cw
Thread-topic: ACM and comedia [was RE: [Simple] MSRP-ACM compatibility]

 
Hi,

>>>>FIRST, RFC4572 already defines the usage of the fingerprint
attribute,
>>>>so wouldn't your issue also apply if you ONLY use COMEDIA, with
relays?
>>>
>>>If you use COMEDIA-TLS, yes. Not if just use RFC4145, or follow
_just_
>>>the connection-direction parts of the ACM draft.
>>
>>Chapter 4.1.2, which belongs to the comedia part of the ACM draft, 
>>does refer to RFC4572, so my assumption so far has been that "using 
>>the comedia part" would also include RFC4572 for TLS.
>>
>>So, when talking about comedia, I guess we need to separate between 
>>"using the comedia part" (which, for TLS, includes the fingerprint
>>attribute) and "using just the connection-direction parts of comedia".
>>
>>And, even without the fingerprint, you still have the TLS collision 
>>issue if both endpoints are "active".
> 
>Ah, I see what you mean. I agree, the issue with using 
>fingerprints for relay certificates is true just for the 
>COMEDIA use currently defined in the ACM draft.

There are actually a number of comedia issues, but it seems like I have
mixed them. I'll try to separate them:

FIRST, if we don't use the fingerprint attribute when the MSRP clients
use self-signed signatures, we are not compliant with RFC4572. Do we
want to go that way? Do we have the mandate to go that way? Will the
security people have issues with that? 

Without relays I guess there would be no issue with using the
fingerprint attribute (again, I am only talking about pure comedia here
- not SBC impacts etc). But, even with relays, I guess it would be
possible to provide the fingerprint of the remote client to the relay
e.g. using the AUTH method. 


SECOND, the handshake collision occurs when both endpoints are "active".
AFAIK, that has nothing to do with whether the fingerprint is used or
not.


THIRD (new), I assume an MSRP entity behind a relay would always be
"active". I am not sure whether that is an issue, but it should probably
be mentioned in the draft.


Regards,

Christer

Follow-Ups:
- Re: [Simple] ACM and comedia [was RE: MSRP-ACM compatibility]
  - From: Ben Campbell

References:
- [Simple] MSRP-ACM compatibility
  - From: Hisham Khartabil
- Re: [Simple] MSRP-ACM compatibility
  - From: Hisham Khartabil
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell

Prev by Date: [Simple] What ACM is all about [was: RE: MSRP-ACM compatibility]
Next by Date: [Simple] ACM SBC TLS issue [was RE: MSRP-ACM compatibility]
Previous by thread: Re: [Simple] What ACM is all about [was: RE: MSRP-ACM compatibility]
Next by thread: Re: [Simple] ACM and comedia [was RE: MSRP-ACM compatibility]
Index(es):
- Date
- Thread