Re: [rtcweb] Telling the user the connection is secure (Re: Resolving RTP/SDES question in Paris)
Roman Shpount <roman@telurix.com> Tue, 20 March 2012 14:03 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17B6C21F85AC for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 07:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.776
X-Spam-Level:
X-Spam-Status: No, score=-2.776 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id beEVEtJzqSx9 for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 07:03:48 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 404C921F85A5 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 07:03:48 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so124496pbb.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 07:03:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=jdtgK0y+0966S0ZmdnAvqk6w1WkGhex0dpycvxx/Ufk=; b=XXnY22B7HDVM0MXhYOfj0ZGBfOKEttbqQKkPD4rzw3Z+Yctv45M1m9C0KW63q73IC/ atZ9DFr1tCiTv8NI3cdfo+U4w+riLu20Rd6uxkvv92LlCG1Tj7FpR4k3gr81I7CI4XtO 8FSJzcK3EXGx2Yozs6YsyvgOa0pZhokWgCHUOL5FPZPqCO99ZobAJG8m7IDPEQjulws0 8pG0t44SMvmEQ25OWi+4tSZ2fy/8alWNMXlGGiUf87PdL4rzVfyKuazwRCbrKZicdtM9 W/2cAO5VrbjfOIQRuJHFv58e/om+yHEaYhpJpuSrqKptjIdAUeU8JgtyRE4QsoQ6CezU AW/Q==
Received: by 10.68.191.230 with SMTP id hb6mr1507796pbc.87.1332252228017; Tue, 20 Mar 2012 07:03:48 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id h6sm1373799pbj.44.2012.03.20.07.03.46 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Mar 2012 07:03:47 -0700 (PDT)
Received: by dakl33 with SMTP id l33so70256dak.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 07:03:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.191.161 with SMTP id gz1mr1566556pbc.76.1332252226378; Tue, 20 Mar 2012 07:03:46 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Tue, 20 Mar 2012 07:03:46 -0700 (PDT)
In-Reply-To: <4F686183.6040201@alvestrand.no>
References: <4F4759DC.7060303@ericsson.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CALiegf=jtkDCS_D0ZFe9UpbiadQ0vsJ+4MppQSbLr-wbaXNrfQ@mail.gmail.com> <BLU169-W29E5B86F9E2C6F3126961C93420@phx.gbl> <CALiegfk2aT+6Psr4nT-hG1G7eYRBfFCcT+25On2O4HfUXJ6-ng@mail.gmail.com> <CAD6AjGSmi9j+sdGWPts20-iwGvGij05ek0OKYEPULC6B=aFpQg@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113564482A7@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <ADBB75F3-E20C-4EC4-B9C3-EF2E4BFF409C@phonefromhere.com> <CAD5OKxvuEV8Vbq3h7=ZgcKmREjmguvz5n-SpXr2n-EY7a_ddxg@mail.gmail.com> <CALiegfk1ozOKPcDjbd3H_z2Edzh4RcZpYyJSWdw_1DJ04muQXA@mail.gmail.com> <CAD5OKxu8-+0O0=eE7mD1hi=nPUpEXczGj=bRNQCQL1BW8c-c-Q@mail.gmail.com> <4F677F3B.3040407@alcatel-lucent.com> <4F686183.6040201@alvestrand.no>
Date: Tue, 20 Mar 2012 10:03:46 -0400
Message-ID: <CAD5OKxs0E7H1_3OpSv5dnZQYU=oL+3S0LmDWXeqZLSM-sL_H3g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: multipart/alternative; boundary="e89a8ff1c35eb45aa904bbad24f3"
X-Gm-Message-State: ALoCoQki9J/7ovmc8j4wI4c2rBjuKx0SomFXyUOWPntktFjOlQ0KJK/4bMPPArSIoynBAct80cV0
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Telling the user the connection is secure (Re: Resolving RTP/SDES question in Paris)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 14:03:49 -0000
On Tue, Mar 20, 2012 at 6:52 AM, Harald Alvestrand <harald@alvestrand.no>wrote: > I believe I have said this before, but... > > We should never tell the user the connection is secure. > We should tell the user when we know he's exposed to risks that he usually > isn't. > > Thus - we should not give any indication that we're using DTLS-SRTP with > verified identities (if that's what we normally support). We SHOULD give a > warning saying "hey, since the gateway you've connected to isn't doing > normal authentication procedures, but instead insists on exchanging keys on > the signalling channel, you are less sure who you're talking to than usual, > and there are more boxes that might record your call in the way, but the > script kiddie on your hotel WLAN still can't see your packets (translation: > legacy SDES key exchange is in use, but SRTP is still on). > > All this will of course be iconified into a single cryptic graphic > probably involving a padlock :-) > > What we actually got here has to be iconified into padlocks of different size and degree of openness. In case of DTLS-SRTP with verified identities we still need to inform the user of the indentity of the person they are communicating with. It has to come from the browser, so that it can be presented with some degree of trust. Since we do not trust web server or the javascript app, we should be asking for user consent to get access to microphone and camera for each call anyway. When asking for this consent, we should be either telling the identity of the remote party or give a warning that remote party is unknown. _____________ Roman Shpount
- [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Resolvin… Ravindran, Parthasarathi
- Re: [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Reso… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- [rtcweb] Telling the user the connection is secur… Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Telling the user the connection is s… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Telling the user the connection is s… Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Richard L. Barnes
- Re: [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount