Message info
To:Dan Wing From:Harald Alvestrand Subject:[rtcweb] Consent freshness and message-integrity (Re: Use Case draft - legacy interop) Date:Mon, 07 May 2012 23:14:34 +0200

Forking the thread, since this is a different detail.....

On 05/05/2012 07:24 PM, Dan Wing wrote:
> The other nuance is that, because
> doing the SHA1 for MESSAGE-INTEGRITY isn't needed for consent freshness,
> there is desire to allow those periodic ICE connectivity checks to
> omit the MESSAGE-INTEGRITY, which is a change to ICE. See
> draft-muthu-behave-consent-freshness.
Omitting MESSAGE-INTEGRITY would allow off-path attackers to inject fake
connectivity checks, and thus to simulate continued consent.

If connectivity checks for content freshness are worth doing, they're
worth protecting.
My $0.02.


rtcweb mailing list