Skip to main content

Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)
RFC 8844

Yes

(Adam Roach)

No Objection

Alvaro Retana
Warren Kumari
(Alexey Melnikov)
(Barry Leiba)
(Deborah Brungard)
(Mirja Kühlewind)
(Suresh Krishnan)

Note: This ballot was opened for revision 06 and is now closed.

Alvaro Retana No Objection

Roman Danyliw (was Discuss) No Objection

Comment (2019-08-12)
Thank you for addressing my DISCUSS and COMMENTs.

Warren Kumari No Objection

(Adam Roach; former steering group member) Yes

Yes (for -06)

                            

(Alexey Melnikov; former steering group member) No Objection

No Objection (for -06)

                            

(Alissa Cooper; former steering group member) No Objection

No Objection (2019-08-06 for -06)
Section 2.3: s/This attack/The unknown key share attack/

Section 3: s/Neither SIP nor WebRTC identity providers are not required/Neither SIP nor WebRTC identity providers are required/

(Barry Leiba; former steering group member) No Objection

No Objection (for -06)

                            

(Benjamin Kaduk; former steering group member) (was Discuss) No Objection

No Objection (2019-08-09)
Thanks for these updates; they are a big improvement.

In Section 3.2

   The absence of an identity binding does not relax this requirement;
   if a peer provided no identity binding, a zero-length extension MUST
   be present to be considered valid.

For some reason my brain keeps trying to tell me that this could be
misinterpreted somehow, as implying that if the peer doesn't implement
this extension it would be considered invalid.  But I don't see any
actual specific problems with this text, so it's probably fine.

   An "external_id_hash" extension that is any length other than 0 or 32
   is invalid and MUST cause the receiving endpoint to generate a fatal
   "decode_error" alert.

Very pedantic here, but the numbers aren't quite right, as the 
"external_id_hash" extension would be length 1 or 33 due to the length
octet.  We'd have to say that the "binding_hash" is length 0 or 32 to be
pedantically correct.

Section 6

   Without identity assertions, the mitigations in this document prevent
   the session splicing attack described in Section 4.  Defense against
   session concatenation (Section 5) additionally requires protocol
   peers are not able to claim the certificate fingerprints of other
   entities.

nit: "requires that".

(Deborah Brungard; former steering group member) No Objection

No Objection (for -06)

                            

(Mirja Kühlewind; former steering group member) No Objection

No Objection (for -06)

                            

(Suresh Krishnan; former steering group member) No Objection

No Objection (for -06)