Re: [webrtc-extensions] Feature Request: ICE support Host TLS candidates (#236) from Philipp Hancke via GitHub on 2025-07-01 (public-webrtc-logs@w3.org from July 2025)

From: Philipp Hancke via GitHub <noreply@w3.org>
Date: Tue, 01 Jul 2025 04:45:40 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-3021751658-1751345138-noreply@w3.org>

> If you are authenticating via SDP and a=fingerprint, doesn't that just increase the operational burden?

You are connecting to an IP address through TLS. The load balancer (if there is one) should not know the SFUs certificate + private key that is being used for DTLS. This is different (or similar?) from TURN/TLS where the load balancer has the key+cert for the hostname of the TURN server. We have an IP address here.

Ideally we can say
* if the candidate has a `subjectAlternativeName` `extension-att-name` run [Peter's rules](https://www.rfc-editor.org/rfc/rfc6125) with the 
* otherwise expect the other side's `fingerprint` to match the one in the SDP

-- 
GitHub Notification of comment by fippo
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/issues/236#issuecomment-3021751658 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 July 2025 04:45:41 UTC