Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)
draft-ietf-mmusic-sdp-uks-07

Yes

(Adam Roach)

No Objection

Roman Danyliw

Warren Kumari

(Alexey Melnikov)

(Alissa Cooper)

(Alvaro Retana)

(Barry Leiba)

(Benjamin Kaduk)

(Deborah Brungard)

(Mirja Kühlewind)

(Suresh Krishnan)

Note: This ballot was opened for revision 06 and is now closed.

Roman Danyliw

(was Discuss) No Objection

Comment (2019-08-12) Sent for earlier

Thank you for addressing my DISCUSS and COMMENTs.

Warren Kumari

No Objection

Adam Roach Former IESG member

Yes

Yes (for -06) Unknown

Alexey Melnikov Former IESG member

No Objection

No Objection (for -06) Not sent

Alissa Cooper Former IESG member

No Objection

No Objection (2019-08-06 for -06) Sent

Section 2.3: s/This attack/The unknown key share attack/

Section 3: s/Neither SIP nor WebRTC identity providers are not required/Neither SIP nor WebRTC identity providers are required/

Alvaro Retana Former IESG member

No Objection

No Objection (for -06) Not sent

Barry Leiba Former IESG member

No Objection

No Objection (for -06) Not sent

Benjamin Kaduk Former IESG member

(was Discuss) No Objection

No Objection (2019-08-09) Sent

Thanks for these updates; they are a big improvement.

In Section 3.2

   The absence of an identity binding does not relax this requirement;
   if a peer provided no identity binding, a zero-length extension MUST
   be present to be considered valid.

For some reason my brain keeps trying to tell me that this could be
misinterpreted somehow, as implying that if the peer doesn't implement
this extension it would be considered invalid.  But I don't see any
actual specific problems with this text, so it's probably fine.

   An "external_id_hash" extension that is any length other than 0 or 32
   is invalid and MUST cause the receiving endpoint to generate a fatal
   "decode_error" alert.

Very pedantic here, but the numbers aren't quite right, as the 
"external_id_hash" extension would be length 1 or 33 due to the length
octet.  We'd have to say that the "binding_hash" is length 0 or 32 to be
pedantically correct.

Section 6

   Without identity assertions, the mitigations in this document prevent
   the session splicing attack described in Section 4.  Defense against
   session concatenation (Section 5) additionally requires protocol
   peers are not able to claim the certificate fingerprints of other
   entities.

nit: "requires that".

Deborah Brungard Former IESG member

No Objection

No Objection (for -06) Not sent

Mirja Kühlewind Former IESG member

No Objection

No Objection (for -06) Not sent

Suresh Krishnan Former IESG member

No Objection

No Objection (for -06) Not sent

Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP) draft-ietf-mmusic-sdp-uks-07

Unknown Key-Share Attacks on Uses of TLS with the Session Description Protocol (SDP)
draft-ietf-mmusic-sdp-uks-07