draft-ietf-mmusic-4572-update-04.txt   draft-ietf-mmusic-4572-update-05.txt 
Network Working Group C. Holmberg Network Working Group C. Holmberg
Internet-Draft Ericsson Internet-Draft Ericsson
Updates: 4572 (if approved) June 7, 2016 Updates: 4572 (if approved) June 10, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: December 9, 2016 Expires: December 12, 2016
Updates to RFC 4572 Updates to RFC 4572
draft-ietf-mmusic-4572-update-04.txt draft-ietf-mmusic-4572-update-05.txt
Abstract Abstract
This document updates RFC 4572 by clarifying the usage of multiple This document updates RFC 4572 by clarifying the usage of multiple
SDP 'fingerprint' attributes with a single TLS connection. The SDP 'fingerprint' attributes with a single TLS connection. The
document also updates the preferred cipher suite with a stronger document also updates the preferred cipher suite with a stronger
cipher suite, and removes the requirement to use the same hash cipher suite, and removes the requirement to use the same hash
function for calculating a certificate fingerprint that is used to function for calculating a certificate fingerprint that is used to
calculate the certificate signature. calculate the certificate signature.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 9, 2016. This Internet-Draft will expire on December 12, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Update to RFC 4572 . . . . . . . . . . . . . . . . . . . . . 3 3. Update to RFC 4572 . . . . . . . . . . . . . . . . . . . . . 3
3.1. Update to the sixth paragraph of section 5 . . . . . . . 3 3.1. Update to the sixth paragraph of section 5 . . . . . . . 3
3.2. New paragraphs to the end of section 5 . . . . . . . . . 4 3.2. New paragraphs to the end of section 5 . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 6 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . 7 8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
RFC 4572 [RFC4572] specifies how to establish Transport Layer RFC 4572 [RFC4572] specifies how to establish Transport Layer
Security (TLS) connections using the Session Description Protocol Security (TLS) connections using the Session Description Protocol
skipping to change at page 5, line 24 skipping to change at page 5, line 24
fingerprints are exchanged. In such cases, one or more fingerprints fingerprints are exchanged. In such cases, one or more fingerprints
MUST be calculated for each possible certificate. An endpoint MUST be calculated for each possible certificate. An endpoint
MUST, as a minimum, calculate a fingerprint using the 'SHA-256' MUST, as a minimum, calculate a fingerprint using the 'SHA-256'
hash function algorithm for each possible certificate, unless the hash function algorithm for each possible certificate, unless the
endpoint knows that the peer supports a stronger algorithm, or endpoint knows that the peer supports a stronger algorithm, or
unless the endpoint knows that the peer has not been upgraded to unless the endpoint knows that the peer has not been upgraded to
support the 'SHA-256' algorithm, or unless the endpoint is used for support the 'SHA-256' algorithm, or unless the endpoint is used for
a service, or within an environment that mandates usage of a a service, or within an environment that mandates usage of a
stronger algorithm. stronger algorithm.
When an endpoint receives one or more fingerprints from its peer,
and is about to calculate its own fingerprints, unless
the endpoint has other ways of knowing what hash functions the peer
supports the endpoint MUST calculate at least one fingerprint using
a hash function that was also used by the peer to calculate a
fingerprint. In addition, the endpoint MAY calculate fingerprints
using hash functions that were not used by the peer.
If fingerprints associated with multiple certificates are If fingerprints associated with multiple certificates are
calculated, the same set of hash functions MUST be used to calculated, the same set of hash functions MUST be used to
calculate fingerprints for each certificate associated with the calculate fingerprints for each certificate associated with the
m- line. m- line.
For each used certificate, an endpoint MUST be able to match at For each used certificate, an endpoint MUST be able to match at
least one fingerprint, calculated using the hash function that the least one fingerprint, calculated using the hash function that the
endpoint supports and considers most secure, with the used endpoint supports and considers most secure, with the used
certificate. If the checked fingerprint does not match the used certificate. If the checked fingerprint does not match the used
certificate, the endpoint MUST NOT establish the TLS connection. In certificate, the endpoint MUST NOT establish the TLS connection. In
skipping to change at page 6, line 26 skipping to change at page 6, line 18
6. Acknowledgements 6. Acknowledgements
Martin Thomson, Paul Kyzivat, Jonathan Lennox and Roman Shpount Martin Thomson, Paul Kyzivat, Jonathan Lennox and Roman Shpount
provided valuable comments and input on this document. provided valuable comments and input on this document.
7. Change Log 7. Change Log
[RFC EDITOR NOTE: Please remove this section when publishing] [RFC EDITOR NOTE: Please remove this section when publishing]
Changes from draft-ietf-mmusic-4572-update-04
o Removed prevously added requirement that endpoint must calcuate at
least one fingerprint using a hash function that was also used by
the peer.
Changes from draft-ietf-mmusic-4572-update-03 Changes from draft-ietf-mmusic-4572-update-03
o Mandatory (except in specific situations) to provide a fingerprint o Mandatory (except in specific situations) to provide a fingerprint
calculated using SHA-256. calculated using SHA-256.
o When an endpoint receives fingerprints from its peer, the endpoint o When an endpoint receives fingerprints from its peer, the endpoint
must (except in specific situations) calculate at least one must (except in specific situations) calculate at least one
fingerpint using a hash function that was also used by the peer. fingerpint using a hash function that was also used by the peer.
Changes from draft-ietf-mmusic-4572-update-02 Changes from draft-ietf-mmusic-4572-update-02
skipping to change at page 7, line 33 skipping to change at page 7, line 30
o IANA considerations section added. o IANA considerations section added.
8. Normative References 8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>.
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572, Description Protocol (SDP)", RFC 4572,
DOI 10.17487/RFC4572, July 2006, DOI 10.17487/RFC4572, July 2006,
<http://www.rfc-editor.org/info/rfc4572>. <http://www.rfc-editor.org/info/rfc4572>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>.
Author's Address Author's Address
Christer Holmberg Christer Holmberg
Ericsson Ericsson
Hirsalantie 11 Hirsalantie 11
Jorvas 02420 Jorvas 02420
Finland Finland
Email: christer.holmberg@ericsson.com Email: christer.holmberg@ericsson.com
 End of changes. 9 change blocks. 
17 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/