Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Tim Panton <tim@phonefromhere.com> Thu, 15 September 2011 09:51 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D7821F84C1 for <rtcweb@ietfa.amsl.com>; Thu, 15 Sep 2011 02:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScQbP65SJuE4 for <rtcweb@ietfa.amsl.com>; Thu, 15 Sep 2011 02:51:08 -0700 (PDT)
Received: from zimbra.westhawk.co.uk (zimbra.westhawk.co.uk [192.67.4.167]) by ietfa.amsl.com (Postfix) with ESMTP id C453021F862F for <rtcweb@ietf.org>; Thu, 15 Sep 2011 02:51:02 -0700 (PDT)
Received: from [192.168.0.14] (unknown [93.89.81.113]) by zimbra.westhawk.co.uk (Postfix) with ESMTP id 56B5137A902; Thu, 15 Sep 2011 11:06:09 +0100 (BST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <09b501cc726d$66655360$332ffa20$@com>
Date: Thu, 15 Sep 2011 10:53:13 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <52B1B3C9-A5D2-473A-9A7F-FC7EE6EAD259@phonefromhere.com>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <4E6A56D4.2030602@skype.net> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <4E6A81EC.3080002@jesup.org>, <4E6AE22A.2070106@alum.mit.edu> <7F2072F1E0DE894DA4B517B93C6A05852233C3B7C5@ESESSCMS0356.eemea.ericsson.se>, <4E6C16FF.1000706@jesup.org> <BBF498F2D030E84AB1179E24D1AC41D61C1BCA829D@ESESSCMS0362.eemea.ericsson.se> <4E6CB9F7.2060208@mozilla.com> <4E6DB7F4.3090404@skype.net> <09b501c c726d$66655360$332ffa20$@com>
To: Dan Wing <dwing@cisco.com>
X-Mailer: Apple Mail (2.1084)
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 09:51:11 -0000

On 14 Sep 2011, at 00:32, Dan Wing wrote:
>> 
> 
> SDES is also not as secure as DTLS-SRTP, reference RFC5479.
> 
> -d


I had my mind rather forcibly changed on this by reading this:
https://www.owasp.org/index.php/File:SSL_paved_with_good_intentions.pdf
and
http://www.slate.com/id/2265204/

Basically any key exchange that depends for it's security on https: is worthless.

Tim (as usual speaking for himself)

P.S. I particularly enjoyed the idea of embedding logos in X509 certs (seems this is valid).