Re: [rtcweb] SDES-SRTP as a platform for multiple key management

Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 29 March 2012 21:23 UTC

Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A7DF21E801F for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.848
X-Spam-Level:
X-Spam-Status: No, score=-7.848 tagged_above=-999 required=5 tests=[AWL=-1.599, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNP0RYIHa6T8 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 14:23:10 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 15E0021E801A for <rtcweb@ietf.org>; Thu, 29 Mar 2012 14:23:09 -0700 (PDT)
X-AuditID: c1b4fb2d-b7b76ae0000063d8-99-4f74d2bc735b
Authentication-Results: mailgw1.ericsson.se x-tls.subject="/CN=esessmw0191"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0191", Issuer "esessmw0191" (not verified)) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 6F.B5.25560.CB2D47F4; Thu, 29 Mar 2012 23:23:08 +0200 (CEST)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.51]) by esessmw0191.eemea.ericsson.se ([153.88.115.84]) with mapi; Thu, 29 Mar 2012 23:23:07 +0200
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Date: Thu, 29 Mar 2012 23:23:07 +0200
Thread-Topic: [rtcweb] SDES-SRTP as a platform for multiple key management
Thread-Index: Ac0N5aWeoPueFkFHTg+96UfvCqhAjQAC0myQ
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D194602DB64@ESESSCMS0360.eemea.ericsson.se>
References: <4F74BDBA.4020701@infosecurity.ch>
In-Reply-To: <4F74BDBA.4020701@infosecurity.ch>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDES-SRTP as a platform for multiple key management
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 21:23:11 -0000

Hi,

While I'm in favour of SDES I don't believe this is a particularly strong argument. To provide any real security gain, any additional signing or encryption that you may think of has to be performed outside of the webapp's control.

Regards,

Oscar

> -----Original Message-----
> From: rtcweb-bounces@ietf.org 
> [mailto:rtcweb-bounces@ietf.org] On Behalf Of Fabio Pietrosanti (naif)
> Sent: Thursday, March 29, 2012 9:54 PM
> To: <rtcweb@ietf.org>
> Subject: [rtcweb] SDES-SRTP as a platform for multiple key management
> 
> Hi all,
> 
> i've been thinking that one of the very interesting elements 
> about the support of SDES-SRTP, is that, other than providing 
> compatibility with existing telephony ecosystem, it may allow 
> the implementation of custom key managegement systems.
> 
> Basically if WebRTC would introduce support for SDES-SRTP and 
> w3c would define API to handle SDES SDP call keys, it would 
> become possible to further implement in Javascript additional 
> key management systems.
> 
> For example someone may implement a javascript application to 
> be provided from an https source or browser extension 
> additional to implement OpenPGPJS based identity verification 
> (http://openpgpjs.org/) or integration with DH based key 
> exchange (https://github.com/kaepora/cryptocat/).
> 
> So basically a side-effect of introducing SDES-SRTP, could be to let
> HTML5 application developers, to effectively be able to 
> implement custom security mechanisms for voice applications.
> 
> --
> Fabio Pietrosanti
> Founder, CTO
> 
> Tel: +39 02 85961748 (direct)
> Mobile: +39 340 1801049
> E-mail: fabio.pietrosanti@privatewave.com
> Skype: fpietrosanti
> Linkedin: http://linkedin.com/in/secret
> 
> PrivateWave Italia S.p.A.
> Via Gaetano Giardino 1 - 20123 Milano - Italy 
> www.privatewave.com _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>