W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > July 2017

Re: [webrtc-pc] Is contents validation based on exact string matching or fingerprint list matching when verifying identity assertion?

From: Soares Chen via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jul 2017 03:30:37 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-317618715-1500953435-sysbot+gh@w3.org>
Oops, I missed rtcweb-security-arch _section 5.6.4. Binding Identity Assertions to JSEP Offer/Answer Transactions_ which specifies the format of `contents`, which caused the entire misunderstanding. 

In that case I just need one clarification: Is reordering or reformatting of the fingerprints in `content` allowed? For example:

```javascript
const contents1 = `{
 "fingerprint": [ {
   "algorithm": "sha-256",
   "digest": "4A:AD:B9:B1:3F:...:E5:7C:AB"
 }, { 
    "algorithm": "sha-1",
   "digest": "74:E9:76:C8:19:...:F4:45:6B"
 } ]
}`

// Reformatting and reordering of contents1
const contents2 = `{
 "fingerprint": [ 
    { "algorithm": "sha-1", "digest": "74:E9:76:C8:19:...:F4:45:6B" },
    { "algorithm": "sha-256", "digest": "4A:AD:B9:B1:3F:...:E5:7C:AB" } 
  ]
}`
```

If on peer1's `generateAssertion()` receives `contents1` and peer2's `validateAssertion()` returns `contents2`, is that valid? Section 9.4.8. in webrtc-pc allows it, although everywhere else says `validateAssertion()` MUST return the original `contents1` string.

-- 
GitHub Notification of comment by soareschen
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1505#issuecomment-317618715 using your GitHub account
Received on Tuesday, 25 July 2017 03:30:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:21:40 UTC