Unknown Key Share Attacks on uses of TLS with the Session Description Protocol (SDP)
draft-ietf-mmusic-sdp-uks-07

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: mmusic-chairs@ietf.org, adam@nostrum.com, mmusic@ietf.org, draft-ietf-mmusic-sdp-uks@ietf.org, Bo Burman <bo.burman@ericsson.com>, bo.burman@ericsson.com, The IESG <iesg@ietf.org>, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'Unknown Key Share Attacks on uses of TLS with the Session Description Protocol (SDP)' to Proposed Standard (draft-ietf-mmusic-sdp-uks-07.txt)

The IESG has approved the following document:
- 'Unknown Key Share Attacks on uses of TLS with the Session Description
   Protocol (SDP)'
  (draft-ietf-mmusic-sdp-uks-07.txt) as Proposed Standard

This document is the product of the Multiparty Multimedia Session Control
Working Group.

The IESG contact persons are Adam Roach, Alexey Melnikov and Barry Leiba.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-uks/


Technical Summary

This document describes unknown key-share attacks on the use of
Datagram Transport Layer Security for the Secure Real-Time Transport
Protocol (DTLS-SRTP).  Similar attacks are described on the use of
DTLS-SRTP with the identity bindings used in Web Real-Time
Communications (WebRTC) and SIP identity.  These attacks are
difficult to mount, but they cause a victim to be mislead about the
identity of a communicating peer.  Simple mitigation techniques are
defined for each.

Working Group Summary

The document’s progress through the working group was unremarkable.

Document Quality

The document was reviewed and discussed by a small group of key MMUSIC and RTCWEB members. No implementations are known.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

The Document Shepherd is Bo Burman.
The Responsible AD is Adam Roach.

RFC Editor Note

Please make the following two changes to the document.

In Section 3.2

OLD

   An "external_id_hash" extension that is any length other than 0 or 32
   is invalid and MUST cause the receiving endpoint to generate a fatal
   "decode_error" alert.

NEW
  An "external_id_hash" extension with a "binding_hash" field that is any
  length other than 0 or 32 is invalid and MUST cause the receiving endpoint
  to generate a fatal "decode_error" alert.

Section 6

OLD

   Without identity assertions, the mitigations in this document prevent
   the session splicing attack described in Section 4.  Defense against
   session concatenation (Section 5) additionally requires protocol
   peers are not able to claim the certificate fingerprints of other
   entities.

NEW

   Without identity assertions, the mitigations in this document prevent
   the session splicing attack described in Section 4.  Defense against
   session concatenation (Section 5) additionally requires that protocol
   peers are not able to claim the certificate fingerprints of other
   entities.

(Replace "requires" with "requires that")