Re: [rtcweb] SRTP not mandatory-to-use

Bernard Aboba <bernard_aboba@hotmail.com> Tue, 03 January 2012 23:59 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 619CE1F0C56 for <rtcweb@ietfa.amsl.com>; Tue, 3 Jan 2012 15:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.864
X-Spam-Level:
X-Spam-Status: No, score=-100.864 tagged_above=-999 required=5 tests=[AWL=-0.866, BAYES_50=0.001, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lvm6kPzNMsTO for <rtcweb@ietfa.amsl.com>; Tue, 3 Jan 2012 15:59:41 -0800 (PST)
Received: from blu0-omc1-s10.blu0.hotmail.com (blu0-omc1-s10.blu0.hotmail.com [65.55.116.21]) by ietfa.amsl.com (Postfix) with ESMTP id B35B81F0C50 for <rtcweb@ietf.org>; Tue, 3 Jan 2012 15:59:41 -0800 (PST)
Received: from BLU152-W55 ([65.55.116.7]) by blu0-omc1-s10.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 3 Jan 2012 15:59:41 -0800
Message-ID: <BLU152-W55F48235E9DA8077B6C99393960@phx.gbl>
Content-Type: multipart/alternative; boundary="_63a3dfe9-76c3-47ad-964d-2d71e0adcf2a_"
X-Originating-IP: [24.17.217.162]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: blizzard@mozilla.com
Date: Tue, 03 Jan 2012 15:59:40 -0800
Importance: Normal
In-Reply-To: <683bfb1d-d142-4e86-9506-7d90ea27f44c@zimbra1.shared.sjc1.mozilla.com>
References: <BLU152-W469B2EB104C104547FC42393960@phx.gbl>, <683bfb1d-d142-4e86-9506-7d90ea27f44c@zimbra1.shared.sjc1.mozilla.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 03 Jan 2012 23:59:41.0426 (UTC) FILETIME=[C2269520:01CCCA73]
Cc: randell-ietf@jesup.org, rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 23:59:42 -0000

Chris Blizzard said:

"That really depends on how it's presented to users."

[BA] The choice is either not to provide any information to users, or to provide information in some form. 

If there is no information provided, then the user would not know whether media security is really in place or not.   

While that might lead to suitably low expectations (e.g. users should assume no security, even if SRTP is used), the conversation had talked about setting a higher bar. 

If information is provided, then it would seem desirable for that information to be reflective of the level of security in place.   If not, why bother?