Re: [rtcweb] Support of SDES in WebRTC

Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 29 March 2012 21:13 UTC

Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223AB21E804A for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.835
X-Spam-Level:
X-Spam-Status: No, score=-9.835 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5CgMBt5oEtk8 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:13:42 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id B3AD821E8028 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 14:13:33 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b5aae000002dcb-37-4f74d07b7023
Authentication-Results: mailgw10.se.ericsson.net x-tls.subject="/CN=esessmw0237"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0237", Issuer "esessmw0237" (not verified)) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id F4.63.11723.B70D47F4; Thu, 29 Mar 2012 23:13:32 +0200 (CEST)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.51]) by esessmw0237.eemea.ericsson.se ([153.88.115.90]) with mapi; Thu, 29 Mar 2012 23:13:31 +0200
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
Date: Thu, 29 Mar 2012 23:13:30 +0200
Thread-Topic: [rtcweb] Support of SDES in WebRTC
Thread-Index: Ac0NwVWL/pAf3KWyRBuDtl/dfJ3iTAALdbdg
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D194602DB63@ESESSCMS0360.eemea.ericsson.se>
References: <4F742344.802@infosecurity.ch> <A1B638D2082DEA4092A268AA8BEF294D194602D97D@ESESSCMS0360.eemea.ericsson.se> <CALiegf=GxJ2Ew9v5H4Xfb8q3j=4TFawNu-6uXRXuXK+Vug1e+w@mail.gmail.com>
In-Reply-To: <CALiegf=GxJ2Ew9v5H4Xfb8q3j=4TFawNu-6uXRXuXK+Vug1e+w@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 21:13:43 -0000

Hi,

That's why I wrote "the entire webapp" below. If it was not clear I meant that the

- main HTML page
- all external CSS files, JavaScript files, images, etc 
- all XmlHttpRequests
- all WebSocket connections

are protected with TLS. This is obviously verifiable and it's a feature supported by all modern browsers (no mixed content). 

/Oscar



> -----Original Message-----
> From: Iñaki Baz Castillo [mailto:ibc@aliax.net] 
> Sent: Thursday, March 29, 2012 5:33 PM
> To: Oscar Ohlsson
> Cc: Fabio Pietrosanti (naif); <rtcweb@ietf.org>
> Subject: Re: [rtcweb] Support of SDES in WebRTC
> 
> 2012/3/29 Oscar Ohlsson <oscar.ohlsson@ericsson.com>:
> > Hi Fabio,
> >
> > My assumption has always been the following:
> >
> > - DTLS-SRTP is the default
> > - DTLS-SRTP + identity can be turned on via the JavaScript 
> API if the 
> > webapp wishes to do so
> > - SDES can be turned on by a manipulated SDP offer/answer 
> provided the 
> > entire webapp was retrieved over HTTPS
> 
> Please check this mail in which I explain that retrieving the 
> web app by means of HTTPS means nothing:
> 
>   http://www.ietf.org/mail-archive/web/rtcweb/current/msg03914.html
> 
> 
> 
> --
> Iñaki Baz Castillo
> <ibc@aliax.net>
>