Re: [rtcweb] SRTP not mandatory-to-use

["Ravindran, Parthasarathi" <pravindran@sonusnet.com>]

Hi Inaki,

My proposal is not to trust the website but the user decides based 
on browser configuration. Please see the different combination in
the earlier mail wherein there is no compromise on the security 
trust model.

Human user who "Press the 'Accept unsecure communication' button 
and you will win a car !!!" will allow RTP plug-in to install or 
configure browser to win the car. It is as good as sending the 
air ticket money to unknown country king based on spam mail in 
secured (https) e-mail access user for getting lump sum money 
from King (spammer). 

Also, please note that SRTP-DTLS does not prevent WebRTC server
from accessing the secured WebRTC media (data) but helps user to 
identify that the media is not end-to-end. My statement is based 
on my understanding of WebRTC security architecture

Partha(Browser +  JS) ----------WebRTCserver-----Browser+ JS (Inaki)
      |                                                          |
       ----(SRTP+DTLS)-----WebRTC Media server---(SRTP+DTLS) ----- 

In the above topology, webserver owns WebRTC media server as well. 
Web media server terminates & originates the media. The identity is 
the differentiating factor. For example, if I see the browser window
with identity ibc@gmail.com instead of ibc@aliax.net, then I have to 
understand that browser is not end-to-end because of identity.

My current argument has nothing to do with PSTN interop. AFAIK, 
SRTP-DTLS standardization in WebRTC is good for SBC :-). 

Thanks
Partha

>-----Original Message-----
>From: Iñaki Baz Castillo [mailto:ibc@aliax.net]
>Sent: Wednesday, January 11, 2012 2:24 PM
>To: Ravindran, Parthasarathi
>Cc: Muthu Arul Mozhi Perumal (mperumal); Spencer Dawkins; Alan Johnston;
>Bernard Aboba; Cullen Jennings (fluffy); rtcweb@ietf.org
>Subject: Re: [rtcweb] SRTP not mandatory-to-use
>
>2012/1/11 Ravindran, Parthasarathi <pravindran@sonusnet.com>:
>> I agree with you that it is not website trust but also network has to
>be considered. Please look at this requirement like accessing company
>intranet service (email, document) from public hotspot or Internet café.
>Your usecase wherein the deployment will consider security like VPN
>wherein the (webRTC) application has no need to perform the double
>encryption. In case accessing company (Enterprise) e-mail in a specific
>hotspot/public internet care is unsecure, then accessing company WebRTC
>application is also unsecure. If not, it is perfectly fine to access RTP
>WebRTC application as the security is ensured in some other layer of the
>network.
>
>
>It seems that there is no evolution at all in this issue, same arguments
>as two months ago.
>
>AFAIR the main question/problem is: who does decide when to use SRTP or
>just plain RTP? does such a suggestion come from the web page itself? If
>so, the user (the human user) can be deceived:
>
>  "Press the 'Accept unsecure communication' button and you will win a
>car !!!"
>
>The double encryption is not a problem at all. The application (the
>browser) performs SRTP encryption (no problem here!) and the TCP/IP
>stack in the computer or in the router performs network encryption.
>Which is the problem??? There is no problem at all. All of this just
>seems a poor argument in favour of plain RTP to interoperate with legacy
>and non secure RTP implementations (and this is the fail of lazy SIP
>vendors, don't bring that to WebRTC please).
>
>
>Regards.
>
>--
>Iñaki Baz Castillo
><ibc@aliax.net>