draft-ietf-mmusic-4572-update-12.txt   draft-ietf-mmusic-4572-update-13.txt 
Network Working Group J. Lennox Network Working Group J. Lennox
Internet-Draft Vidyo Internet-Draft Vidyo
Obsoletes: 4572 (if approved) C. Holmberg Obsoletes: 4572 (if approved) C. Holmberg
Intended status: Standards Track Ericsson Intended status: Standards Track Ericsson
Expires: July 30, 2017 January 26, 2017 Expires: August 6, 2017 February 2, 2017
Connection-Oriented Media Transport over TLS in SDP Connection-Oriented Media Transport over TLS in SDP
draft-ietf-mmusic-4572-update-12 draft-ietf-mmusic-4572-update-13
Abstract Abstract
This document specifies how to establish secure connection-oriented This document specifies how to establish secure connection-oriented
media transport sessions over the Transport Layer Security (TLS) media transport sessions over the Transport Layer Security (TLS)
protocol using the Session Description Protocol (SDP). It defines protocol using the Session Description Protocol (SDP). It defines
the SDP protocol identifier, 'TCP/TLS'. It also defines the syntax the SDP protocol identifier, 'TCP/TLS'. It also defines the syntax
and semantics for an SDP 'fingerprint' attribute that identifies the and semantics for an SDP 'fingerprint' attribute that identifies the
certificate that will be presented for the TLS session. This certificate that will be presented for the TLS session. This
mechanism allows media transport over TLS connections to be mechanism allows media transport over TLS connections to be
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 30, 2017. This Internet-Draft will expire on August 6, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 39 skipping to change at page 6, line 39
actual SDP content.) actual SDP content.)
m=image 54111 TCP/TLS t38 m=image 54111 TCP/TLS t38
c=IN IP4 192.0.2.2 c=IN IP4 192.0.2.2
a=setup:passive a=setup:passive
a=connection:new a=connection:new
a=fingerprint:SHA-256 \ a=fingerprint:SHA-256 \
12:DF:3E:5D:49:6B:19:E5:7C:AB:4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF: \ 12:DF:3E:5D:49:6B:19:E5:7C:AB:4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF: \
3E:5D:49:6B:19:E5:7C:AB:4A:AD 3E:5D:49:6B:19:E5:7C:AB:4A:AD
a=fingerprint:SHA-1 \ a=fingerprint:SHA-1 \
4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
Figure 1: Example SDP Description Offering a TLS Media Stream Figure 1: Example SDP Description Offering a TLS Media Stream
4. Protocol Identifiers 4. Protocol Identifiers
The 'm' line in SDP specifies, among other items, the transport The 'm' line in SDP specifies, among other items, the transport
protocol to be used for the media in the session. See the "Media protocol to be used for the media in the session. See the "Media
Descriptions" section of SDP [8] for a discussion on transport Descriptions" section of SDP [8] for a discussion on transport
protocol identifiers. protocol identifiers.
skipping to change at page 9, line 27 skipping to change at page 9, line 27
algorithm, or if local policy mandates use of stronger algorithms. algorithm, or if local policy mandates use of stronger algorithms.
If fingerprints associated with multiple certificates are calculated, If fingerprints associated with multiple certificates are calculated,
the same set of hash functions MUST be used to calculate fingerprints the same set of hash functions MUST be used to calculate fingerprints
for each certificate associated with the 'm' line. for each certificate associated with the 'm' line.
An endpoint MUST select the set of fingerprints which use its most An endpoint MUST select the set of fingerprints which use its most
preferred hash function (out of those offered by the peer) and verify preferred hash function (out of those offered by the peer) and verify
that each certificate used matches one fingerprint out of that set. that each certificate used matches one fingerprint out of that set.
If a certificate does not match any such fingerprint, the endpoint If a certificate does not match any such fingerprint, the endpoint
MUST NOT establish the TLS connection MUST NOT establish the TLS connection.
An endpoint MAY, in addition to its more preferred hash function,
also verify that each certificate used matches fingerprints
calculated using other hash functions. Unless there is a matching
fingerprint for each tested hash function, the endpoint MUST NOT
establish the TLS connection.
NOTE: The SDP fingerprint attribute does not contain a reference to a NOTE: The SDP fingerprint attribute does not contain a reference to a
specific certificate. Endpoints need to compare the fingerprint with specific certificate. Endpoints need to compare the fingerprint with
a certificate hash in order to look for a match. a certificate hash in order to look for a match.
6. Endpoint Identification 6. Endpoint Identification
6.1. Certificate Choice 6.1. Certificate Choice
An X.509 certificate binds an identity and a public key. If SDP An X.509 certificate binds an identity and a public key. If SDP
 End of changes. 5 change blocks. 
11 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/