-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Media signing - Cryptographic information and certificate chain with packet loss. #416
Comments
Thanks Jordan for valuable insights. They are very much appreciated. Since the specification has been written during a long period of time, some things have changed during the process and the specification is in some places poorly formulated. Regarding the difference between "Once or every document" and "Once or at any arbitrary cadence". Before adding the start-of-stream-SEI (golden-SEI) concept, we thought it could be good to lower the bitrate by sending certificates now and then (arbitrary cadence). Sending information at a different cadence is something we have in Axis Signed Video, but it makes life difficult for the client and the code in on the validation side. When exporting to file, vital SEIs could be missing. Then the concept of golden-SEIs is better and more robust (if we do not account for potential packet losses). I will replace "at any arbitrary cadence" with "every document". Packet losses Data retention time New certificate on the camera Request cryptographic SEI Disable SEI-frames |
Thank you for your answer Bjorn, For the enabling or disabling of SEI frames, in the wsdls, I see ways to check whether media signing is supported and ways of changing the signing certificates to use, but do not see a way to enable or disable the SEI frames. How would a client enable media signing? Also, is there a way for the client to know whether a client would send information "once" or "every document" before starting the stream? Thank you, |
In the Video Encoder Configuration a new field "Signed" is added to enable Media Signing. Whether a SEI is sent "once" can be identified when received. |
Regarding "new certificate" on the camera. When we read the ONVIF security specification one can not replace a certificate without terminating the existing one first, hence the stream has to be stopped and the restarted. In such a case, the new stream will need to transmit a new start-of-stream-SEI by definition. |
Hello,
In Section 5.7.3 of the specification, it is mentioned that the cryptographic information that defines the algorithms are only sent once.
It is also mentioned that the certificate chain is either sent once and at an arbitrary cadence. It is not clear whether or not it is the device that chooses this cadence, but I believe that is the case. Is this correct?
I see two potential issues with this approach.
The ability for the client to request the cryptographic information and certificate chain similarly to key frame requests could help alleviate these issues.
Additionally, could the media signing SEI frames be disabled using ONVIF for networks with stringent bandwidth constraints?
Thank you,
Jordan
The text was updated successfully, but these errors were encountered: