RFC 8224, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", February 2018Source of RFC: stir (art)
Errata ID: 5390
Publication Format(s) : TEXT
Reported By: Invalid restriction on when to add "mky"
Date Reported: 2018-06-14
Section 12.1 says:
When signing a request that contains a fingerprint of keying material in SDP for DTLS-SRTP [RFC5763], this mechanism always provides a signature over that fingerprint.
It should say:
When signing a request that contains a fingerprint of keying material in SDP, this mechanism always provides a signature over that fingerprint.
Attack vector described in 12.1 to justify addition of "mky" is applicable for scenarios, where a fingerprint in SDP is used for reasons other than DTLS-STRP as well.
Use of fingerprint for MSRP per RFCRFC4975 is an example of this.
14.4. Using TLS in Peer-to-Peer Mode
TLS can be used with a self-signed certificate as long as there is a
mechanism for both sides to ascertain that the other side used the
correct certificate. When used with SDP and SIP, the correct
certificate can be verified by passing a fingerprint of the
certificate in the SDP and ensuring that the SDP has suitable
integrity protection. When SIP is used to transport the SDP, the
integrity can be provided by the SIP Identity mechanism . The
rest of this section describes the details of this approach.