IETF Logo Mail Archive

Re: [rtcweb] Use case change request: Identity in multiuser calls

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Thu, 11 August 2011 19:38 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 655EC11E8086 for <rtcweb@ietfa.amsl.com>; Thu, 11 Aug 2011 12:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.798
X-Spam-Level:
X-Spam-Status: No, score=-6.798 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DoeTlOoKKlNq for <rtcweb@ietfa.amsl.com>; Thu, 11 Aug 2011 12:38:33 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id EAB4A21F8B4A for <rtcweb@ietf.org>; Thu, 11 Aug 2011 12:38:32 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id p7BJd68D014830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 11 Aug 2011 14:39:06 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p7BJd6lA003726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 11 Aug 2011 14:39:06 -0500
Received: from [135.244.38.171] (faynberg.lra.lucent.com [135.244.38.171]) by umail.lucent.com (8.13.8/TPES) with ESMTP id p7BJd5oX023226; Thu, 11 Aug 2011 14:39:05 -0500 (CDT)
Message-ID: <4E442FD8.6060008@alcatel-lucent.com>
Date: Thu, 11 Aug 2011 15:39:04 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Henry Sinnreich <henry.sinnreich@gmail.com>
References: <CA69938B.1CB98%henry.sinnreich@gmail.com>
In-Reply-To: <CA69938B.1CB98%henry.sinnreich@gmail.com>
Content-Type: multipart/alternative; boundary="------------050104070805050803080101"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Use case change request: Identity in multiuser calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 19:38:34 -0000

Well...

(I thought that the lawful intercept issue that came up several times is 
pertinent here.)  But note that this was a parenthetical remark!

A non-parenthetical one is based on the quote from the cited draft:

"In the development of ZRTP, it was realized that there are scenarios
    in which the media can not be encrypted end-to-end.  For example,
    when a client has a trusted server or PBX which provides media
    services in the path.  For these cases, ZRTP developed mechanisms for
    handling a "trusted MiTM" which can terminate than reoriginate the
    SRTP encryption."



So, if we end up with a "trusted MITM," why not have a trusted central 
server in the first place?

Igor

P.S.:  I have nothing against ZRTP, which has done a thorough and honest 
job.  I question its applicability to the agreed use cases. Personally I 
think we need an all-encompassing solution.


On 8/11/2011 3:11 PM, Henry Sinnreich wrote:
>> Henry - what sort of mechanism did you have in mind for these anonymous
>> participants to identify themselves to one another? Are you talking
>> about the exchange of credentials using the server as an intermediary in
>> the exchange? Or did you have in mind an exchange outside the server.
>> (E.g. Bob establishes a secure connection to Alice and over it tells her
>> "I'm anon2 in conference foo right now"?
> The most credible e2e identification that comes to my mind is Phil
> Zimmermann's Zfone technology:
>
> http://www.ietf.org/id/draft-johnston-rtcweb-media-privacy-00.txt
> http://zfoneproject.com/
>
> Definitely not relying on any "trusted" server :-)
>
> Thanks, Henry
>
> On 8/11/11 11:50 AM, "Paul Kyzivat"<pkyzivat@alum.mit.edu>  wrote:
>
>> On 8/11/11 12:07 PM, Henry Sinnreich wrote:
>>>> The participants are identified to
>>>> each other by the central server
>>> There may be no contradiction, but just to make sure the scenario, such as a
>>> confidential business meeting is included (not necessarily a social network
>>> scenario).
>>>
>>> A confidential conference MUST assure that all participants can also be
>>> safely identified first to each other, not necessarily by the server, end to
>>> end, to the full satisfaction of all the participants, who would otherwise
>>> refuse to continue  to speak up or continue to attend at all.
>>> Who provides for the e2e identification? A 3rd party? Inside the app?
>>>
>>> Did I understand correctly there is no contradiction?
>>> Any problem in clarifying this?
>> This is an example of the sort of thing I was speaking of in my earlier
>> reply - that there are differing levels of identity that may be desired.
>>
>> In some cases, participants may want to be fully anonymous. But even
>> then, it will typically be important that one participant be able to
>> identify *which* of the other (anonymous) participants it is receiving
>> media from. (E.g. by noting which participant in the roster is the
>> current speaker - anon1, anon2, ...)
>>
>> In other cases the participants *true* identities are hidden, but
>> handles/nicknames may be used to identify them in the roster and in
>> chats. ("snoopy" and "red barron" rather than anon1 and anon2.)
>>
>> But in that case there are issues of how the handles are associated with
>> participants. It could be that handles are permanently assigned to real
>> users by the server. Then you can be confident that when talking to
>> "snoopy" it is always someone well defined - same as the last time -
>> without awareness of who that person *actually* is.
>>
>> Alternatively, the server might allow handles to be used on a fcfs basis
>> per conference. Or it might allow handles to be non-unique, so that you
>> could have two "snoopy"s at the same time, bound to unrelated users.
>>
>> Henry - what sort of mechanism did you have in mind for these anonymous
>> participants to identify themselves to one another? Are you talking
>> about the exchange of credentials using the server as an intermediary in
>> the exchange? Or did you have in mind an exchange outside the server.
>> (E.g. Bob establishes a secure connection to Alice and over it tells her
>> "I'm anon2 in conference foo right now"?
>>
>> Thanks,
>> Paul
>>
>>> Thanks, Henry
>>>
>>>
>>> On 8/10/11 9:16 AM, "Harald Alvestrand"<harald@alvestrand.no>   wrote:
>>>
>>>> In draft-ietf-rtcweb-use-cases-and-requirements, I would like to extend
>>>> one part of the scenario "4.3.3 Video conferencing system with central
>>>> server".
>>>>
>>>> I would like to add one more paragraph:
>>>>
>>>> "All participant are authenticated by the central server, and authorized
>>>> to connect to the central server. The participants are identified to
>>>> each other by the central server, and the participants do not have
>>>> access to each others' credentials such as e-mail addresses or login IDs".
>>>>
>>>> This is necessary in order to drive use cases that resemble Google
>>>> Hangout, where it is a requirement that people are able to participate
>>>> without disclosing their Google login IDs to each other.
>>>> (in the particular case of Hangout, the display name on their profile
>>>> *is* disclosed ... but that's a different matter)
>>>>
>>>> The reason I think this is important is that it feeds directly into the
>>>> discussion of what WebRTC needs to authorize: The final source or
>>>> destination of media, or the identity of the handler at the first hop.
>>>> In at least the case of Hangouts, the requirement is to *not* authorize
>>>> the final source or destination.
>>>>
>>>> Not sure yet how to formulate that as a requirement, and not sure yet if
>>>> it applies to the cases without a central server, such as 4.2.6. We may
>>>> have to decide.
>>>>
>>>>                            Harald
>>>>
>>>>
>>>> _______________________________________________
>>>> rtcweb mailing list
>>>> rtcweb@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/rtcweb
>>>
>>> _______________________________________________
>>> rtcweb mailing list
>>> rtcweb@ietf.org
>>> https://www.ietf.org/mailman/listinfo/rtcweb
>>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email