Re: [rtcweb] Consensus call regarding media security
"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Thu, 29 March 2012 17:56 UTC
Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4394021E8125 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 10:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.197
X-Spam-Level:
X-Spam-Status: No, score=-3.197 tagged_above=-999 required=5 tests=[AWL=-0.198, BAYES_00=-2.599, J_CHICKENPOX_83=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vhRjwVcnByz for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 10:56:51 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 6696C21E8117 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 10:56:51 -0700 (PDT)
Received: by wibhq7 with SMTP id hq7so259023wib.13 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 10:56:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:x-gm-message-state :content-type:content-transfer-encoding; bh=u5SGLP1fRrxkQGjxiqngfDWZmGkAQ53PJRIojIVTQn0=; b=SagXzZa/1mkvGqyYcydmHsFkoF/+ckbCzcBmRfYIyisTDnIXryRi8Vj2otQVcVYsw5 lEdLRGoljzW6wJ3RGCXURGIivqzHCtttiZ1MwvAimLVawBvcXHdgE6m91AU5OltXie6Z I5Twzw5ncY93B+fUtvXSJsypsS/4qaxLt/XhMighGeekD8plo8ks/ndUJ/l9iAS7CMjB OPBEs7PhuvGygHCUaxQ+nofJ+nKrVPPS4Hw9/AZdeTTcFFdQg/BcDvqBnj9lQBN0H9F1 1zETQlWqxD4wWl8RXkBGotCUrKZPV65MSrw9wuoAH/cJiDfWgivCaBu7TDjJCSFsPbcC TbtQ==
Received: by 10.180.105.69 with SMTP id gk5mr9290713wib.3.1333043810391; Thu, 29 Mar 2012 10:56:50 -0700 (PDT)
Received: from sonyvaiop13.local (93-57-41-37.ip162.fastwebnet.it. [93.57.41.37]) by mx.google.com with ESMTPS id b3sm68760917wib.4.2012.03.29.10.56.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Mar 2012 10:56:49 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F74A25F.1050901@infosecurity.ch>
Date: Thu, 29 Mar 2012 19:56:47 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <4F732531.2030208@ericsson.com> <BLU169-W80FA8377288974CAF4716F93480@phx.gbl> <4F745719.5090709@ericsson.com>
In-Reply-To: <4F745719.5090709@ericsson.com>
X-Enigmail-Version: 1.4
X-Gm-Message-State: ALoCoQkn2bFnt/MOr6/d2r7ac+NRnlx1T7AGI68B6yzheQ3znraVgTPHfhP0Lnik8nPNf8DE6Hka
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 17:56:52 -0000
On 3/29/12 2:35 PM, Magnus Westerlund wrote: > On 2012-03-29 08:02, Bernard Aboba wrote: >> I agree with proposition #1 (SRTP) unconditionally. >> >> With respect to proposition #2 (DTLS-SRTP), perhaps the words "with >> details to be worked out" should have been added. >> >> I believe that the consensus achieved was only on a general direction, >> not an endorsement of particular proposals. >> >> Personally, I would like to have more specifics about the required >> features of DTLS-SRTP in the RTCWEB context. > > I hope someone that knows the details can elaborate on this. I thought > DTLS-SRTP has a core that you will need to implement. Then there is > clearly a question of crypto algorithms to be supported. But that also > applies to SRTP where we also need to select which crypto suites that > are to be implemented if any in addtion to the MITM. The WG will need to > select these details as part of the next steps. Hi Magnus, imho the selection of a crypto algorithms is not the first priority (it will probably goes with some well known AES-stuff), as the first priority is to define which will be the Key Management system to be used for DTLS-SRTP. Given the SRTP standard,the security and trust model radically change depending on the key exchange system details. With DTLS-SRTP the key exchange and security/trust model seems quite opaque and there's not a specific guideline to implement it and/or to satisfy a specific security requirement. While the SDES-SRTP method satisfy all the 4.1.1.* Calling method requirement of http://tools.ietf.org/html/draft-ietf-rtcweb-security-02#section-4.1.1 , because it would just rely on existing TLS/HTTPS method. So it would not even enter into the context/discussion of trust with the server, that has been already managed by the existing TLS/HTTPS. I did not really understand how DTLS-SRTP would like to manage the so-many-complicated trust scenario that TLS/HTTPS already manage. Imho everything should be simplified with two context: - Do you need end-to-site (TLS equivalent) security? SDES-SRTP + TLS/HTTPS - Do you need end-to-end (ZRTP/PGP equivalent) security? DTLS-SRTP with user-driven verification schema (such as Short Authentication String / Fingerprint / Key pinning) -- Fabio Pietrosanti Founder, CTO Tel: +39 02 85961748 (direct) Mobile: +39 340 1801049 E-mail: fabio.pietrosanti@privatewave.com Skype: fpietrosanti Linkedin: http://linkedin.com/in/secret PrivateWave Italia S.p.A. Via Gaetano Giardino 1 - 20123 Milano - Italy www.privatewave.com
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Consensus call regarding media security Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Igor Faynberg
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Kevin P. Fleming
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Timothy B. Terriberry
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… jesse
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Which servers to trust (Re: Consensus ca… Harald Alvestrand
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Randell Jesup
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla