[rtcweb] Support of SDES in WebRTC

"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Thu, 29 March 2012 08:54 UTC

Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFE8221F89F2 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 01:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.284
X-Spam-Level:
X-Spam-Status: No, score=-3.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emuJn23XcqBM for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 01:54:35 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1288721F89F8 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 01:54:34 -0700 (PDT)
Received: by eeke51 with SMTP id e51so920627eek.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 01:54:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding :x-gm-message-state; bh=iC0oCw8K+hqMnny0iPUGc7LfpqfEa26Tilsf0tq51Mc=; b=hA5u508n/8+m94PS/CdTOwUagPM3fa4AybSn0uhmAxezqF3gdd9IGCTaSzWNBvLDi1 Jy0GlK1nlhJig/bP46laJCWD/9ESjaF9jh6Y3Tmx+vZgJeu3V0H/YQqzFQ1sT3GsZIEH uSuRqsQHqVbXVXMsUxXgordvDkEw00vs24X599iE+fYf2o7vr/Fy3d8eR4+dAphjPYgJ zYt2Kv9VhSFUNLR+6XdtJzQGCI/jnRKf+Jz5rvJ55stlwiXAGmLrW6U9d2Hjvcq6w3yT 8cgKqnEPRg5gzjJ3P27NjyrOzgRkjHuGUMwmn1crmn9D7EWar8B3ZPE4y87dSjsoY+5H vprA==
Received: by 10.213.11.15 with SMTP id r15mr2375640ebr.181.1333011271051; Thu, 29 Mar 2012 01:54:31 -0700 (PDT)
Received: from sonyvaiop13.local (93-57-41-37.ip162.fastwebnet.it. [93.57.41.37]) by mx.google.com with ESMTPS id n56sm19318832eeb.4.2012.03.29.01.54.29 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Mar 2012 01:54:30 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F742344.802@infosecurity.ch>
Date: Thu, 29 Mar 2012 10:54:28 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQlid0wD98JzLmOYX9lWfu5i42gqQiG6zl+FtAriM3lOlnbw20uR2IyK669xLYSh9vdvU9bT
Subject: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 08:54:37 -0000

On the topic of SDES vs DTLS-SRTP a very nice analysis has been done on:
http://www.potaroo.net/ietf/idref/draft-ohlsson-rtcweb-sdes-support/

Considering how vague are the security implementation consideration of
DTLS-SRTP and how widely diffused in SDES-SRTP, i'm wondering whenever
we should not mandate the use of SDES-SRTP.

That way we would be able to see:

- All implementation will start with SDES (simpler and quicker)
- For who want enhanced security, greater implementation and
interoperability complexity, implement also DTLS-SRTP

But for the industry a full cycle of:
- Implementation
- Stabilization
- Interoperability

for DTLS-SRTP (that nobody use) may require from 2 up to 4-5 years of time.

If we goes for SDES-SRTP by default, as early choice, probably within
1-2 years at maximum we can expect the overall technological ecosystem
to be stable and interoperable.

Because it will be built on top of existing stable framework.

We may save dozens millions of USD of investments costs for the industry
and gain some hundreds millions of users year in advance, just because
we would save several years of time.

I think that those consideration are valuable enough to strongly
consider arguments in making SDES-SRTP a preferred, mandatory
implementation for WebRTC.

-- 
Fabio Pietrosanti
Founder, CTO

Tel: +39 02 85961748 (direct)
Mobile: +39 340 1801049
E-mail: fabio.pietrosanti@privatewave.com
Skype: fpietrosanti
Linkedin: http://linkedin.com/in/secret

PrivateWave Italia S.p.A.
Via Gaetano Giardino 1 - 20123 Milano - Italy
www.privatewave.com