Re: [rtcweb] [MMUSIC] Draft new: draft-wang-mmusic-encrypted-ice-candidates

"Martin Thomson" <> Mon, 04 November 2019 03:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1E0621200FD; Sun, 3 Nov 2019 19:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=TO8IqNYM; dkim=pass (2048-bit key) header.b=XWdkR2Wc
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lIh010t7AuOT; Sun, 3 Nov 2019 19:36:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2151D120121; Sun, 3 Nov 2019 19:36:13 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id BE8E421B2C; Sun, 3 Nov 2019 22:36:11 -0500 (EST)
Received: from imap2 ([]) by compute1.internal (MEProxy); Sun, 03 Nov 2019 22:36:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=yT/4DlU4q98BCjjQ7bxVDZczlxqq dLPgtYcyAK1sfCo=; b=TO8IqNYMq38AVHUEK7b5+N7pSumIJlTw5LKnlDdHj1p6 WMqHoSH9b6wlejFocmd+Rwb1KCA8jBeU9mgDX2ehjs4YOqAv7NuD91m6UxtiG9t+ XgrvAKXp5y4j3uS97mO9s8DrVsfPDmTvWolzkRZvNo8tpyXNcnOIc6elIkMIJRI6 XXjHXmFpL2kkyeeBgtNEMic2i67Z4QT9UeF8LEdLz4C/cB+5Xbt0gxRFvlWbewe+ Z1HGAZVYF/+ihIkI6sPGXGAdH3ClfH4OI8acf9jA8/KIoijMPx3dAtVad9eT/t96 wK7OxXp/bd71RmX6iq12o0u66cDEu/qmYuL1ijUYvw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=yT/4Dl U4q98BCjjQ7bxVDZczlxqqdLPgtYcyAK1sfCo=; b=XWdkR2Wc1K/JVfcOTU9hBy aBlKciB6sitK4twQPKQs8bGQCjXH+FVkDFJwxTLwFWIxq1CHBWyLCPBTIIyvSDfK ZIVQ73d6XchLGiPNmFGL7D6GOZEUvYbCmJJYKD8ZuyDU5OrEieoQ5187TfR/CgKP +tFM6AzFCQFApG/G0cNFZCSyOXR+3TWSAkJ0FDEXumwh8VR86qcSxyFM1wUg9nq2 JXocH3HtCxkSo+E+x/3RpLUc5gsY1hl/hW8w3DpP24/rOEo1FaNjnUBmBLZO4riY t3syGqUY5FZnkFP8PVnjXYx8xxIX+c16JLjY9NvgyHTMUNilmzcim0Vee+6C4/Xw ==
X-ME-Sender: <xms:q5y_XUj4vIzp-hdTHhyFg2ZKJQIfecfQBEFxIiDq7mZxEfEOem_LEg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudduvddgheelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreerjeenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecuff homhgrihhnpehgihhthhhusgdrtghomhdpihgvthhfrdhorhhgnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuih iivgeptd
X-ME-Proxy: <xmx:q5y_XTlUDZZO8g8BjDCcKNKqEm1IpTL5_q53-OyT4BOWJFHh8de-lA> <xmx:q5y_XY2n598RtQRgPRYAv2-PfjIf790wO8IuRtI6GoJONAdvmztiEw> <xmx:q5y_Xd7vidTMNM4bRxvPW2AaBzrL6_9oPtldrH9kWa1_CO-Z71w0kQ> <xmx:q5y_XegldlCEHL7VSnryRlufFqyXf4CB4gLvCtk1TxHYUQiwGGg4jA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 36E78E00A5; Sun, 3 Nov 2019 22:36:11 -0500 (EST)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <>
Date: Mon, 04 Nov 2019 14:35:51 +1100
From: "Martin Thomson" <>
To: "Qingsi Wang" <>, mmusic <>
Cc: "Alex Drake" <>,
Content-Type: text/plain
Archived-At: <>
Subject: Re: [rtcweb] =?utf-8?q?=5BMMUSIC=5D_Draft_new=3A_draft-wang-mmusic-e?= =?utf-8?q?ncrypted-ice-candidates?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Nov 2019 03:36:15 -0000

This draft has the effect of defining a new gTLD.  That's problematic, and likely unnecessary.  I would encourage you to look into ways to signal these candidates differently.  a=encrypted-candidate might work, for instance.  You might be able to encrypt more data than an IP address in the process.

I also don't see how key management works here.  The goal of the draft is to define a set of entities that you are OK with reading your IP address, but I don't see any text that addresses the difficulty of a) identifying the entities in that set, and b) getting those entities the necessary keys.  Those are the really hard problems in this space.

I don't see how this provides any sort of algorithm agility or ability to identify the keys that are in use.  Maybe trial decryption is acceptable in this context, but that can get unwieldy fairly rapidly.

On Sat, Nov 2, 2019, at 07:06, Qingsi Wang wrote:
> Greetings.
> This draft 
> ( proposes a complementary solution to the mDNS candidate detailed in draft-ietf-rtcweb-mdns-ice-candidates, specifically for managed networks. IPs of ICE candidates are encrypted via PSK and signaled as pseudo-FQDNs in this proposal, and it aims to address the connectivity challenge from the mDNS technique in these managed environments. The current work on this draft is tracked in
> Regards,
> Qingsi
> _______________________________________________
> rtcweb mailing list