Unknown Key Share Attacks on uses of TLS with the Session Description Protocol (SDP)
Note: This ballot was opened for revision 06 and is now closed.
Adam Roach Yes
Deborah Brungard No Objection
Alissa Cooper No Objection
Comment (2019-08-06 for -06)
Section 2.3: s/This attack/The unknown key share attack/ Section 3: s/Neither SIP nor WebRTC identity providers are not required/Neither SIP nor WebRTC identity providers are required/
Roman Danyliw (was Discuss) No Objection
Thank you for addressing my DISCUSS and COMMENTs.
Benjamin Kaduk (was Discuss) No Objection
Thanks for these updates; they are a big improvement. In Section 3.2 The absence of an identity binding does not relax this requirement; if a peer provided no identity binding, a zero-length extension MUST be present to be considered valid. For some reason my brain keeps trying to tell me that this could be misinterpreted somehow, as implying that if the peer doesn't implement this extension it would be considered invalid. But I don't see any actual specific problems with this text, so it's probably fine. An "external_id_hash" extension that is any length other than 0 or 32 is invalid and MUST cause the receiving endpoint to generate a fatal "decode_error" alert. Very pedantic here, but the numbers aren't quite right, as the "external_id_hash" extension would be length 1 or 33 due to the length octet. We'd have to say that the "binding_hash" is length 0 or 32 to be pedantically correct. Section 6 Without identity assertions, the mitigations in this document prevent the session splicing attack described in Section 4. Defense against session concatenation (Section 5) additionally requires protocol peers are not able to claim the certificate fingerprints of other entities. nit: "requires that".