Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

[Iñaki Baz Castillo <ibc@aliax.net>]

Such a solution requires a very expensive gateway. Good for vendors but bad
for all the rest.

--
Iñaki Baz Castillo
<ibc@aliax.net>
El 26/04/2013 00:14, "Dan Wing" <dwing@cisco.com> escribió:

>
> On Apr 25, 2013, at 9:39 AM, Alan Johnston <alan.b.johnston@gmail.com>
> wrote:
>
> > I'm not a fan of SDES. However, I've come to believe that we need it for
> two reasons.
> >
> > 1. There is a backwards compatibility reason. There are deployed systems
> of SRTP that use SDES or a key agreement that easily maps to it. Just as we
> allowed G.711 for these systems, it seems reasonable to allow SDES as well.
> When combined with ICE Lite in a media gateway, this is a scalable interop
> approach.
>
> Interworking at scale can be accomplished without SDES on WEBRTC, as I
> explained at IETF83 in slides 27-35 of
> http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb-3.pdf.
>
> > 2. We need it or something like it for API reasons. There are cases
> where the JavaScript needs to tell the browser what SRTP key to use.
>
> DTLS-SRTP with EKT can also perform that function, and does it without
> disclosing the SRTP key to all the SIP proxies and all the web servers on
> the signaling path.
>
> > Since JSEP uses SDP for this API surface, SDES works for this. Obviously
> it is a bad idea to send this key over unsecured channels, but this is
> separate from this API issue.
> >
> > And just to be clear, browser to browser should use DTLS-SRTP, and only
> thus mode should be considered "secure" using whatever user interface a
> browser chooses.
>
> But is there a secure mechanism to differentiate browser-to-browser calls
> from browser-to-non-browser calls, so we don't have to worry over SDES
> downgrade attacks?  And for the use-cases where JavaScript has to set the
> key, those will often be browser-to-browser calls, meaning that we will
> have to support browser-to-browser SDES, contrary to your desire that
> browser-to-browser use DTLS-SRTP?  DTLS-SRTP with EKT permits the
> application to set the SRTP key, and more securely than SDES.
>
> -d
>
>
> >
> > - Alan -
> >
> >
> >
> > On Apr 25, 2013, at 11:57 AM, Cullen Jennings <fluffy@iii.ca> wrote:
> >
> >>
> >> The working groups committed some time ago to have a further discussion
> on whether SDP Security Descriptions (RFC 4568 aka SDES) would be usable as
> a keying method for WebRTC.  As we prepare for that discussion, we'd like
> to have expressions of interest or support for that approach which indicate
> the general outlines of support proposed.  If you wish to make such an
> expression of support, please send it to the chairs or the list.
> >>
> >> Cullen, Magnus, & Ted <The Chairs>
> >>
> >>
> >> _______________________________________________
> >> rtcweb mailing list
> >> rtcweb@ietf.org
> >> https://www.ietf.org/mailman/listinfo/rtcweb
> > _______________________________________________
> > rtcweb mailing list
> > rtcweb@ietf.org
> > https://www.ietf.org/mailman/listinfo/rtcweb
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>