Re: [rtcweb] SDES-SRTP as a platform for multiple key management
Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 29 March 2012 21:23 UTC
Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A7DF21E801F for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.848
X-Spam-Level:
X-Spam-Status: No, score=-7.848 tagged_above=-999 required=5 tests=[AWL=-1.599, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNP0RYIHa6T8 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:23:10 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 15E0021E801A for <rtcweb@ietf.org>; Thu, 29 Mar 2012 14:23:09 -0700 (PDT)
X-AuditID: c1b4fb2d-b7b76ae0000063d8-99-4f74d2bc735b
Authentication-Results: mailgw1.ericsson.se x-tls.subject="/CN=esessmw0191"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0191", Issuer "esessmw0191" (not verified)) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 6F.B5.25560.CB2D47F4; Thu, 29 Mar 2012 23:23:08 +0200 (CEST)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.51]) by esessmw0191.eemea.ericsson.se ([153.88.115.84]) with mapi; Thu, 29 Mar 2012 23:23:07 +0200
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Date: Thu, 29 Mar 2012 23:23:07 +0200
Thread-Topic: [rtcweb] SDES-SRTP as a platform for multiple key management
Thread-Index: Ac0N5aWeoPueFkFHTg+96UfvCqhAjQAC0myQ
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D194602DB64@ESESSCMS0360.eemea.ericsson.se>
References: <4F74BDBA.4020701@infosecurity.ch>
In-Reply-To: <4F74BDBA.4020701@infosecurity.ch>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDES-SRTP as a platform for multiple key management
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 21:23:11 -0000
Hi, While I'm in favour of SDES I don't believe this is a particularly strong argument. To provide any real security gain, any additional signing or encryption that you may think of has to be performed outside of the webapp's control. Regards, Oscar > -----Original Message----- > From: rtcweb-bounces@ietf.org > [mailto:rtcweb-bounces@ietf.org] On Behalf Of Fabio Pietrosanti (naif) > Sent: Thursday, March 29, 2012 9:54 PM > To: <rtcweb@ietf.org> > Subject: [rtcweb] SDES-SRTP as a platform for multiple key management > > Hi all, > > i've been thinking that one of the very interesting elements > about the support of SDES-SRTP, is that, other than providing > compatibility with existing telephony ecosystem, it may allow > the implementation of custom key managegement systems. > > Basically if WebRTC would introduce support for SDES-SRTP and > w3c would define API to handle SDES SDP call keys, it would > become possible to further implement in Javascript additional > key management systems. > > For example someone may implement a javascript application to > be provided from an https source or browser extension > additional to implement OpenPGPJS based identity verification > (http://openpgpjs.org/) or integration with DH based key > exchange (https://github.com/kaepora/cryptocat/) > > So basically a side-effect of introducing SDES-SRTP, could be to let > HTML5 application developers, to effectively be able to > implement custom security mechanisms for voice applications. > > -- > Fabio Pietrosanti > Founder, CTO > > Tel: +39 02 85961748 (direct) > Mobile: +39 340 1801049 > E-mail: fabio.pietrosanti@privatewave.com > Skype: fpietrosanti > Linkedin: http://linkedin.com/in/secret > > PrivateWave Italia S.p.A. > Via Gaetano Giardino 1 - 20123 Milano - Italy > www.privatewave.com _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb >
- [rtcweb] SDES-SRTP as a platform for multiple key… Fabio Pietrosanti (naif)
- Re: [rtcweb] SDES-SRTP as a platform for multiple… Oscar Ohlsson
- Re: [rtcweb] SDES-SRTP as a platform for multiple… Fabio Pietrosanti (naif)