Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)
draft-ietf-mmusic-comedia-tls-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Sam Hartman |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Ted Hardie |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2006-03-13
|
06 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2006-03-08
|
06 | Amy Vezza | IESG state changed to Approved-announcement sent |
2006-03-08
|
06 | Amy Vezza | IESG has approved the document |
2006-03-08
|
06 | Amy Vezza | Closed "Approve" ballot |
2006-03-08
|
06 | Allison Mankin | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Allison Mankin |
2006-03-07
|
06 | Sam Hartman | [Ballot Position Update] Position for Sam Hartman has been changed to No Objection from Discuss by Sam Hartman |
2006-03-07
|
06 | Ted Hardie | [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Discuss by Ted Hardie |
2006-03-07
|
06 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2006-03-06
|
06 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2006-03-06
|
06 | (System) | New version available: draft-ietf-mmusic-comedia-tls-06.txt |
2006-01-14
|
06 | Allison Mankin | Sent a reminder to Jonathan yesterday that it's been a week since the revision request and that 1. the BFCP docs are waiting in the … Sent a reminder to Jonathan yesterday that it's been a week since the revision request and that 1. the BFCP docs are waiting in the RFC queue 2. they and this are great and other will use when approval of this comes 3. want to get this done before AD transitions. Asked his ETA on revision. |
2006-01-13
|
06 | Allison Mankin | Sent request to Jonathan L again to revise (Colin and I had sent him instructions 6 January) |
2006-01-06
|
06 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2006-01-06
|
06 | (System) | Removed from agenda for telechat - 2006-01-05 |
2006-01-05
|
06 | Russ Housley | [Ballot discuss] Section 6.1 has a funny structure. The second paragraph says that one of the bullets MUST be used. Then, each of the … [Ballot discuss] Section 6.1 has a funny structure. The second paragraph says that one of the bullets MUST be used. Then, each of the bullets contains a MAY statement. I think that the following structure is more appropriate: The identity presented in the endpoint certificate MUST include an IP address, a DNS name, or a URI. The use of URIs is appropriate when the SDP session description was transmitted over a protocol (such as SIP [16]) for which the identities of session participants are defined by uniform resource identifiers (URIs). The SDP session description MUST present the same identity form, and: o When an IP address is used, the certificate MUST include an iPAddress subjectAltName which exactly matches the IP address in the connection-address in the 'c' line of the session description. o When a fully-qualified domain name is used, the certificate MUST includes a dNSName subjectAltName which exactly matches the DNS name in the connection-address in the 'c' line of the session description. DNS names MUST NOT include wildcard patterns. o When an URI is used, the certificate MUST include an uniformResourceIdentifier subjectAltName that matches . The details of what URIs are appropriate depend on the transmitting protocol. See Section 7 for more details on URI matching. |
2006-01-05
|
06 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2006-01-05
|
06 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2006-01-05
|
06 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2006-01-04
|
06 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2006-01-04
|
06 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2006-01-04
|
06 | Sam Hartman | [Ballot discuss] In section 3.2, the document claims that an attacker who can inject packets is not a threat for the advertized mode of SDP. … [Ballot discuss] In section 3.2, the document claims that an attacker who can inject packets is not a threat for the advertized mode of SDP. I'm confused why this is true; it seems that such an attacker could claim to be an someone other than they actually are. It seems that TLS's authentication (at least if client certificates are used) could provide authentication in this case. I guess I'm just not seeing how you get from session advertized to the world to not caring about who sends traffic to it/who joins it. Section 6.1 requires that the identities of certificates be matched even if valid integrity-protected fingerprints are available. I believe this will create usability problems and will not increase security. The identity information may influence whether the certificate is stored for ssh-style leap of faith authentication in the future. The document needs to clarify how an existing ssh-style cache entry works with situations where integrity-protected fingerprints are provided. Whatever we say we should make sure that we do not make it hard for people to generate ephemeral certs that are refreshed often in the case where fingerprints are used. The security considerations section strongly recommends confidentiality. What in this protocol requires confidentiality? I think integrity is sufficient. |
2006-01-04
|
06 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley |
2006-01-04
|
06 | Sam Hartman | [Ballot Position Update] New position, Discuss, has been recorded for Sam Hartman by Sam Hartman |
2006-01-04
|
06 | Jon Peterson | [Ballot Position Update] New position, Yes, has been recorded for Jon Peterson by Jon Peterson |
2006-01-04
|
06 | Michelle Cotton | Additional IANA Comments: We also understand that there will be a RFC-Editor/IANA Note to create an att-field value sub-registry. Please make sure registration rules are … Additional IANA Comments: We also understand that there will be a RFC-Editor/IANA Note to create an att-field value sub-registry. Please make sure registration rules are included as well as any initial registrations. |
2006-01-04
|
06 | Michelle Cotton | IANA Comments: Upon approval of this document the IANA will register 2 SDP Parameters in the following registry: http://www.iana.org/assignments/sdp-parameters SDP proto value: 'TCP/TLS' SDP session … IANA Comments: Upon approval of this document the IANA will register 2 SDP Parameters in the following registry: http://www.iana.org/assignments/sdp-parameters SDP proto value: 'TCP/TLS' SDP session and media level attribute: 'fingerprint' |
2006-01-03
|
06 | Ted Hardie | [Ballot discuss] I'm concerned that the document does not describe more fully the relationship between the SDP in offer/answer mode and the subsequent TLS negotiation. … [Ballot discuss] I'm concerned that the document does not describe more fully the relationship between the SDP in offer/answer mode and the subsequent TLS negotiation. It describes well the endpoint identification problem, but does not tackle what happens if the TLS negotiation does not (or should not) succeed. If, for example, the stream cipher offered is TLS_NULL_WITH_NULL_NULL, the protection offered by using TLS would not meet the goals set out in 3.2 of this document. Deciding whether or not a particular stream cipher or MAC algorithm is acceptable to meet these goals has to happen in the interaction between the application layered above this and the tls connection used. I think that needs to be called out explicitly in the Security Consideration, to reinforce the idea that the idea that agreeing to TCP/TLS creates the obligation for the application to manage this during the TLS negotiation, rather than relieving it. |
2006-01-03
|
06 | Ted Hardie | [Ballot Position Update] New position, Discuss, has been recorded for Ted Hardie by Ted Hardie |
2006-01-03
|
06 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2006-01-01
|
06 | Russ Housley | [Ballot comment] Section 1: s/privacy/confidentiality/ s/certificate authority/certification authority/ (2 places) Section 3.3: s/certificate authority/certification authority/ Section 6.1: s/X.509 certificates/An … [Ballot comment] Section 1: s/privacy/confidentiality/ s/certificate authority/certification authority/ (2 places) Section 3.3: s/certificate authority/certification authority/ Section 6.1: s/X.509 certificates/An X.509 certificate/ s/certify identities/binds an identity and a public key/ s/needs to certify/MUST include/ Section 7: s/IPSec/IPsec/ |
2006-01-01
|
06 | Russ Housley | [Ballot discuss] My Last Call comment was not addressed. I said: > > The definition of the fingerprint attribute includes: > … [Ballot discuss] My Last Call comment was not addressed. I said: > > The definition of the fingerprint attribute includes: > > hash-func = "sha-1" / "sha-224" / "sha-256" / > "sha-384" / "sha-512" / > "md5" / "md2" / token > ; Additional hash functions can only come > ; from updates to RFC 3279 > > RFC 3279 does not define the short strings used here. RFC 3279 > provides ASN.1 object identifiers, which are not suitable here. > Please say how these identifiers will be assigned. Will IANA > maintain a registry? > The alternative would be to use the object identifiers from RFC 3279. However, this seems like a less attractive way forward... Section 6.1 has a funny structure. The second paragraph says that one of the bullets MUST be used. Then, each of the bullets contains a MAY statement. I think that the following structure is more appropriate: The identity presented in the endpoint certificate MUST include an IP address, a DNS name, or a URI. The use of URIs is appropriate when the SDP session description was transmitted over a protocol (such as SIP [16]) for which the identities of session participants are defined by uniform resource identifiers (URIs). The SDP session description MUST present the same identity form, and: o When an IP address is used, the certificate MUST include an iPAddress subjectAltName which exactly matches the IP address in the connection-address in the 'c' line of the session description. o When a fully-qualified domain name is used, the certificate MUST includes a dNSName subjectAltName which exactly matches the DNS name in the connection-address in the 'c' line of the session description. DNS names MUST NOT include wildcard patterns. o When an URI is used, the certificate MUST include an uniformResourceIdentifier subjectAltName that matches . The details of what URIs are appropriate depend on the transmitting protocol. See Section 7 for more details on URI matching. |
2006-01-01
|
06 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2006-01-01
|
06 | Brian Carpenter | [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter |
2005-12-26
|
06 | Allison Mankin | [Note]: 'PROTO shepherd Colin Perkins csp@csperkins.org' added by Allison Mankin |
2005-12-26
|
06 | Allison Mankin | Review by Russ Housley on mmusic list in relation to bfcp, resulted in Last Call comment about the hash-func registry. Have written, also on mmusic … Review by Russ Housley on mmusic list in relation to bfcp, resulted in Last Call comment about the hash-func registry. Have written, also on mmusic list, to Jonathan Lennox, asking him to generate text to create this list. In November I wrote to Sam asking him for pre-review: whether md2 was a downref (didn't get that answer...I probably will have to re-last call), whether to draw tls WG's attention to the IETF LC...I didn't see Sam's reply, because of mh filter vagaries, and now am asking for the TLS review late having just spotted the reply |
2005-12-26
|
06 | Allison Mankin | State Changes to IESG Evaluation from Waiting for Writeup by Allison Mankin |
2005-12-26
|
06 | Allison Mankin | Placed on agenda for telechat - 2006-01-05 by Allison Mankin |
2005-12-26
|
06 | Allison Mankin | [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin |
2005-12-26
|
06 | Allison Mankin | Ballot has been issued by Allison Mankin |
2005-12-26
|
06 | Allison Mankin | Created "Approve" ballot |
2005-12-16
|
06 | (System) | State has been changed to Waiting for Writeup from In Last Call by system |
2005-12-02
|
06 | Amy Vezza | Last call sent |
2005-12-02
|
06 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2005-12-02
|
06 | Allison Mankin | State Changes to Last Call Requested from AD Evaluation by Allison Mankin |
2005-12-02
|
06 | Allison Mankin | State Change Notice email list have been change to jo@acm.org, csp@csperkins.org, jon.peterson@neustar.biz from jo@acm.org, csp@csperkins.org |
2005-12-02
|
06 | Allison Mankin | Last Call was requested by Allison Mankin |
2005-12-02
|
06 | (System) | Ballot writeup text was added |
2005-12-02
|
06 | (System) | Last call text was added |
2005-12-02
|
06 | (System) | Ballot approval text was added |
2005-12-02
|
06 | Allison Mankin | I'm not going to do the downref procedure for MD2, it's going to be removed from the spec - why would you include it, since … I'm not going to do the downref procedure for MD2, it's going to be removed from the spec - why would you include it, since it's deprecated. And surely the SHA spec is not a downref; it's been referenced normatively by RFC 4055. |
2005-12-01
|
06 | Allison Mankin | No reply from the Sec ADs - thanks, guys - my AD review comments can go out this weekend; I will LC now |
2005-11-18
|
06 | Allison Mankin | Sent mail to Russ and Sam asking about TLS-related review and downref in Last Call. Would like to Last Call and do AD/TLS review in … Sent mail to Russ and Sam asking about TLS-related review and downref in Last Call. Would like to Last Call and do AD/TLS review in parallel. Would like to start the Last Call asap |
2005-11-17
|
06 | Allison Mankin | State Changes to AD Evaluation from Publication Requested by Allison Mankin |
2005-11-17
|
06 | Allison Mankin | Shepherding AD has been changed to Allison Mankin from Jon Peterson |
2005-09-22
|
06 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2005-09-19
|
05 | (System) | New version available: draft-ietf-mmusic-comedia-tls-05.txt |
2005-07-07
|
04 | (System) | New version available: draft-ietf-mmusic-comedia-tls-04.txt |
2005-06-16
|
03 | (System) | New version available: draft-ietf-mmusic-comedia-tls-03.txt |
2004-10-11
|
02 | (System) | New version available: draft-ietf-mmusic-comedia-tls-02.txt |
2004-07-20
|
01 | (System) | New version available: draft-ietf-mmusic-comedia-tls-01.txt |
2004-04-28
|
00 | (System) | New version available: draft-ietf-mmusic-comedia-tls-00.txt |