[dispatch] Charter Proposal for OSRTP Working Group

[Alan Johnston <alan.b.johnston@gmail.com>]

All,

Here is proposed text for an OSRTP Working Group which we would request to
be dispatched.  We are not sure that we really need to form a working group
in order to publish what is effectively already industry best practices,
but this text is for discussion of the topic and the determination of the
path forward in here in dispatch.

Comments most welcome!

- Alan -

 - - - - - - - -

Charter for Opportunistic Security for RTP Working Group (OSRTP)

Real-time voice and video communication using RTP is widely used over the
Internet today, and much of it is negotiated using SIP and SDP
offer/answer.  Secure media transport negotiated using SIP and SDP with the
secure profile of RTP, SRTP, is unfortunately not widely deployed today for
voice and video communication.  One reason for this is the difficulty in
negotiating the use of SRTP.  SDP offer/answer was not originally designed
to negotiate profiles of RTP, and extensions such as SDP Capability
Negotiation, RFC 5939, have not achieved enough deployment to be useful for
negotiating secure media.  Without extensions, a caller needs to decide in
advance that secure media is used, but if chosen in advance and the called
party does not support it, the session will fail.  This presents a serious
barrier to incremental deployment of secure media.

Opportunistic Security (OS), defined in RFC 7435, is an approach to
security that defines a third mode for security between "cleartext" and
"comprehensive protection" that allows encryption and authentication to be
used if supported but will not result in failures if it is not supported.
An opportunistic approach for secure media would allow SRTP to be used if
the called party support the opportunistic approach, but will fall back to
RTP if the called party does not.  This will allow SRTP to be incrementally
introduced in voice and video communication networks during the transition
from no encryption to always-on encryption.

WG Objectives

This WG will work on a solution for Opportunistic SRTP (OSRTP) that does
not require SDP Capability Negotiation, but instead will be based on
currently deployed techniques in many voice and video systems that use SDP
offers that do not specify a secure profile, but instead use AVP and the
presence of SRTP keying SDP attributes in the SDP offer and answer to
negotiate secure media. The approach will be general enough to work with a
variety of SRTP key agreement protocols including, but not limited to SDP
Security Descriptions, DTLS-SRTP, and ZRTP.

It is important to note that OSRTP makes no changes, and has no effect on
media sessions in which the offer contains a secure profile of RTP, such as
SAVP. Also, approaches that always require secure media, such as RTCWEB,
will never utilize OSRTP.

As allowed by Opportunistic Security, some authentication requirements of
SRTP key agreement approaches will be relaxed.  However, confidentiality
requirements will not be relaxed.

The working group will perform the following work:

1. Define the goals and requirements of an Opportunistic Security approach
for RTP
2. Define a specification for OSRTP.

Non Goals

This work will not define any new extensions to SIP or SDP, but it may make
changes in some offer/answer procedures or authentication requirements of
key agreement protocols.  No changes to SRTP or RTP will be made.

Collaboration

The working group may coordinate with SIPCORE, MMUSIC, and AVTCORE as
needed.

Input to the WG

https://tools.ietf.org/html/draft-johnston-dispatch-osrtp (a starting point
for the goals and requirements and protocol)
https://tools.ietf.org/html/draft-kaplan-mmusic-best-effort-srtp-00 (for
historical reasons and background)