Re: Issue 172: DtlsTransport: getRemoteParameters() and getRemoteCertificates()

I believe that getRemoteParameters always returns the remoteParameters that were provided in DtlsTransport.start(remoteParameters).  

So it provides a storage/retrieval function - not very exciting, but not hard to implement either. 

As Steely-Glint indicates below, getRemoteCertificates() could be used to provide some visual information to the user.  That visual information would be provided by untrusted code, rather than by the browser so this isn't a substitute for IdP or in-browser certificate chain validation. 

My understanding is that getRemoteCertificates() is part of the "doohickeys" proposal to the WEBRTC WG (first discussed in May 2014).  So if the getRemoteCertificates() method is supported within the WEBRTC 1.0 API DtlsTransport object, it should be retained in ORTC 1.1 for backwards compatibility reasons. 

Steely-Glint replied: 

There are interesting things you can do with getRemoteCertificates() - basically to dig out info in it to provide visual info to the user. - Like the logo department fields. The browser checks it is valid, but that doesn't mean it is the one the user had in mind. I'd be sad if there were no way to read the public cert data.
>From Rajesh Gunnalan:

The specification could be more clear about the behavior of the getRemoteParameters() and getRemoteCertificates() methods.

DtlsTransport.start(remoteParameters) needs to be called before DTLS negotiation can complete. remoteParameters.fingerprints[i] provides the remote certificate fingerprints, which are matched against the fingerprints of the remote certificate provided within the DTLS negotiation.

The definition of getRemoteParameters is:
"Obtain the current DTLS parameters of the remote RTCDtlsTransport."

Since DTLS renegotiation isn't supported, the "current" DTLS parameters won't change after calling DtlsTransport.start(remoteParameters). Therefore getRemoteParameters() returns null prior to calling start(remoteParameters) and getRemoteParameters always returns whatever remoteParameters were provided in the argument to start().

Given this, does getRemoteParameters() have much value?

As far as getRemoteCertificates is concerned, my understanding is that this is provided in order to allow validation of remote certificates. However, since this would be done by a (potentially untrusted) application, isn't it better for validation if it is to be done to be handled by the browser?

Received on Tuesday, 17 February 2015 20:32:17 UTC