Re: [rtcweb] URI schemes for TURN and STUN

[Eric Rescorla <ekr@rtfm.com>]

On Sat, Oct 29, 2011 at 9:44 PM, Keith Moore <moore@network-heretics.com> wrote:
>
> On Oct 30, 2011, at 12:40 AM, Harald Alvestrand wrote:
>
>> On 10/29/2011 04:23 PM, Marc Petit-Huguenin wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 10/29/2011 03:36 PM, Iñaki Baz Castillo wrote:
>>>> 2011/10/29 Harald Alvestrand<harald@alvestrand.no>:
>>>>> - I do not think it's appropriate to use "turn" and "turns" for indicating
>>>>> transport. Polluting the URI namespace with more configuration parameters in
>>>>> the form of trailing "s" is a Bad Thing.
>>>> But there should be some way to indicate that a TURN server listens in
>>>> TLS, right?
>>>>
>>> We should continue this discussion in BEHAVE, but I would like to ask the OP to
>>> send a pointer on the RFC or discussion that says that using a trailing "s" to
>>> indicate security is a bad thing.
>> I'll have to forward this question to the apps ADs of a few years ago about whether there's documentation for it. It does not seem to have been captured in an RFC that I can find; discussion was in the ~2000-2005 timeframe.
>>
>> The short version, from memory: Doing "s" locks you into one and exactly one security scheme, and prevents you from saying anything about the requisite parameters for that scheme, while using AUTH parameters such as POP or in-band negotiation such as IMAP  are much more flexible approaches.
>
> Security schemes change over time as new (presumably better) ones appear, and vulnerabilities are discovered in old ones.   There's nothing inherently wrong with having a URI scheme end in "s".  But it's a Bad Idea to promote the notion that "s" means "security".

What the "s" means is "Connect via TLS and check the server cert".
People are free to infer
whatever they want about the level of "security" provided.

-Ekr