Comments (9)
We also need to fix the certificate subject name not to refer to the certificate fingerprint.
from openscreenprotocol.
It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message. However, the model-name information is exchanged during the metadata phase which happens after the connection. Is there something wrong with my understanding?
My interpretation of this is that it's the model name of the agent creating the certificate itself, meaning the model name as it is also added to the agent-info message; not the model name as is received from the remote agent. Can someone confirm/deny this? If my interpretation is correct, we may want to rephrase this to avoid any confusion.
from openscreenprotocol.
Regarding the subject name, similarly replacing it with the serial number could look as follows:
- Advertise the serial number as a
sn
mDNS TXT record. - use
<sn>._openscreen._udp
as the certificate Subject CommonName. - The dialing client can use the
sn
TXT record to construct the<sn>._openscreen._udp
to use in the server_name extension.
This keeps the 1:1 relation between server name and certificate. It don't think it impacts the certificate validation based on the fingerprint. That being said, I may have missed some of the original considerations put into the current spec. If someone can validate that, I'm happy to do the writeup and send a PR for review.
from openscreenprotocol.
It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message. However, the model-name information is exchanged during the metadata phase which happens after the connection. Is there something wrong with my understanding?
from openscreenprotocol.
Regarding the subject name, similarly replacing it with the serial number could look as follows:
That sounds like a great approach. bakkem@, do you have the capacity to put up a proposed PR that implements that?
from openscreenprotocol.
It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message
This should be same as the the model-name
of the agent that is generating the certificate. The text here could be clearer on this.
The entire Issuer Name field is mostly for debugging purposes as the certificates are self-signed.
from openscreenprotocol.
Regarding the subject name, similarly replacing it with the serial number could look as follows:
That sounds like a great approach. bakkem@, do you have the capacity to put up a proposed PR that implements that?
I will start with the spec changes. Afterwards I may look at the C implementation. My Go implementation already does this as the spec was implementable otherwise 😅
from openscreenprotocol.
I just remembered there is another precedent for this set by WebRTC's local ICE candidates:
Generate a unique mDNS hostname. The unique name MUST consist of
a version 4 UUID as defined in [RFC4122], followed by ".local".
I'm not sure if the added entropy would be warranted in our case.
from openscreenprotocol.
It seems "Issuer Name" also has problem. According to the spec, "Issuer Name" is set as the model-name from the agent-info message
This should be same as the the
model-name
of the agent that is generating the certificate. The text here could be clearer on this.The entire Issuer Name field is mostly for debugging purposes as the certificates are self-signed.
Thanks, this makes sense to me.
from openscreenprotocol.
Related Issues (20)
- Certificates should have a maximum lifetime, and SPAKE2 identities should be SPKI not cert fingerprint HOT 1
- Seek horizontal reviews on the spec HOT 1
- Clarify `time-scale` field HOT 2
- Cross-spec links are broken HOT 6
- How to control the sender side on the receiver side
- `color-gamuts` could be a single value and not a list
- MIME types and metadata encoding for Dolby Vision formats
- Matter protocol similarities HOT 4
- Remote control of Media Session
- Reallocate message type IDs?
- start looking at mechanisms to exchange information between W3C and CSA on Matter
- OSP protocol split HOT 5
- Define re-sync behavior for capabilities on network reconnection
- Explore multi-device timeline sync protocol with sub-10ms precision
- Media Over QUIC
- Representation of time in remote-playback-state
- Clarity on the use of Friendly name HOT 1
- Clarification on Negotiating Connection IDs
- Mandate unidirectional QUIC streams
- Add guidelines on how CBOR messages are mapped onto streams HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openscreenprotocol.