Re: [rtcweb] Consensus call regarding media security

jesse <chat2jesse@gmail.com> Mon, 02 April 2012 23:34 UTC

Return-Path: <chat2jesse@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C81B21F874C for <rtcweb@ietfa.amsl.com>; Mon, 2 Apr 2012 16:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCXH21KFEdDD for <rtcweb@ietfa.amsl.com>; Mon, 2 Apr 2012 16:34:49 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE6321F867B for <rtcweb@ietf.org>; Mon, 2 Apr 2012 16:34:49 -0700 (PDT)
Received: by obbtb4 with SMTP id tb4so2636605obb.31 for <rtcweb@ietf.org>; Mon, 02 Apr 2012 16:34:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3EIlHgLBrpg2tozq915yXmCJccF4+1o5jb0krlCr/zY=; b=fGj18kDJw7ScTTEBfKF0A4ZSvsFE8M0H7bkw0iL8COe/3HrphWf5BjgbPUPvXL6lUG TUXHtYVFmJgbu2LUzl3AmC3NKBWGGAcJcXGB47c1OVeTs1XqU1dPeOMvBSSOjSwSm/5S QM98VJUw8Us0pScpUuFM901/29pYFfrSByHY8+smA22rkzfk9vGPAj1/2WwOO5Zv6Nu9 KY1+1ErRXp5dTJZTSLLbBisXHxwJWPw2xKv3WpkGWfYzWWcWN2eX1ZWRXi/kbf0Zo9cw saMdsOT0afC9rk/+yyUib2joFdLwfvJb2TN1/dA0mimFTj704hBZNtWuP+PDzjWlQusn YPAA==
MIME-Version: 1.0
Received: by 10.60.13.37 with SMTP id e5mr15523083oec.70.1333409688533; Mon, 02 Apr 2012 16:34:48 -0700 (PDT)
Received: by 10.182.60.105 with HTTP; Mon, 2 Apr 2012 16:34:46 -0700 (PDT)
Received: by 10.182.60.105 with HTTP; Mon, 2 Apr 2012 16:34:46 -0700 (PDT)
In-Reply-To: <4F737DB3.5020804@hidayahonline.org>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com> <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com> <4F737DB3.5020804@hidayahonline.org>
Date: Mon, 2 Apr 2012 16:34:46 -0700
Message-ID: <CAE6kErhiOSECnYfBMy1cM+KwP922WsQcMeRCaPzTh4dqtwinQQ@mail.gmail.com>
From: jesse <chat2jesse@gmail.com>
To: Basil Mohamed Gohar <abu_hurayrah@hidayahonline.org>
Content-Type: multipart/alternative; boundary=e89a8fb1f350d33d2104bcbaa26b
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2012 23:34:50 -0000

On Mar 28, 2012 2:08 PM, "Basil Mohamed Gohar" <
abu_hurayrah@hidayahonline.org> wrote:
>
> On 03/28/2012 04:41 PM, Roman Shpount wrote:
> > My main objection is that if an application developer does not take
> > care to develop a secure application, nothing you can do on the
> > standard side will make it a secure application. If I am building a
> > public voice blog that records a voice message that anybody can listen
> > to on the web site security is not needed. My assumption is that a
> > fair number of applications would be like this. So for such
> > applications this is an unnecessary feature.
> >
> > WebRTC will not exist in vacuum. It will communicate with other
> > systems. It is not limited to old SIP devices. It can be something new
> > like server side speech recognition that is integrated with web
> > application. For such application extra code and interop requirements
> > to support security will represent a real and significant cost. Any
> > requirement, unless absolutely necessary will create barriers to entry
> > for new applications. I would like to avoid as many of those as
> > possible.
> > _____________
> > Roman Shpount
> Roman,
>
> You make a lot of good points.  However, the inverse is true as well -
> namely, that is if encryption is not mandated, most implementations will
> likely leave it out,

That means SRTP unnecessary to fullfill major practical usage cases.

The decision to use telnet or ssh for remote desktop should be made by IT
department, not by standard committee.

- jesse

and adoption of secured communications would be
> stifled even longer.  I cannot speak about the implementation
> difficulties, but I can speak from the user side that most people will
> remain ignorant of the underlying technology and not know enough to
> demand nor enable a feature if it is optional to implement and/or use.
>
> As WebRTC is a new standard, requiring encryption will ensure that, at
> least going forward, the important concept of encryption is widely
> adopted correctly from the beginning.  Tacking it on later, no matter
> how much it is emphasized, will be difficult or impossible.
>
> The scope of WebRTC is broad enough to consider that we need to think
> about what's best going forward with regards to its implementation.
> Security by default is one of the best practices in general, the support
> from the browser community and others that are behind it will definitely
> ensure that adoption is widespread enough to make it easy enough to
> integrate into existing systems, as free software solutions will become
> available shortly after the standard emerges.
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb