Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Dzonatas Sol <dzonatas@gmail.com> Fri, 09 September 2011 18:28 UTC

Return-Path: <dzonatas@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55C3721F86A4 for <rtcweb@ietfa.amsl.com>; Fri, 9 Sep 2011 11:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.964
X-Spam-Level:
X-Spam-Status: No, score=-3.964 tagged_above=-999 required=5 tests=[AWL=-0.365, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cMuwEn9MtTWA for <rtcweb@ietfa.amsl.com>; Fri, 9 Sep 2011 11:28:47 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5CAEB21F8610 for <rtcweb@ietf.org>; Fri, 9 Sep 2011 11:28:47 -0700 (PDT)
Received: by ywa6 with SMTP id 6so216119ywa.31 for <rtcweb@ietf.org>; Fri, 09 Sep 2011 11:30:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=U6JSXFPemTrSJmAC65Wj3/BEKUgtSM6RR0y9f74jorI=; b=j78hPnMHTsJvUtZf16OkERtN6lBeiZ28ZYGIcz0b09IEGjjawefTKlN65qWAXlBSL3 GrJ+mVAfReSN+OrSxIRNzqSrLzKtZlcgvZtCCL0yiLuEuqcida2+AD4r1viGp+1A/1Ur NB68j+1w1k31iqe8eqBxNEBZZbEb5WPaQ8XgE=
Received: by 10.68.64.193 with SMTP id q1mr928447pbs.237.1315593042528; Fri, 09 Sep 2011 11:30:42 -0700 (PDT)
Received: from [192.168.0.50] (adsl-70-133-70-225.dsl.scrm01.sbcglobal.net. [70.133.70.225]) by mx.google.com with ESMTPS id i1sm21874539pbe.1.2011.09.09.11.30.40 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 09 Sep 2011 11:30:41 -0700 (PDT)
Message-ID: <4E6A5BC7.40507@gmail.com>
Date: Fri, 09 Sep 2011 11:32:39 -0700
From: Dzonatas Sol <dzonatas@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110505 Icedove/3.0.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <101C6067BEC68246B0C3F6843BCCC1E31018BF6BE2@MCHP058A.global-ad.net> <4E540FE2.7020605@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF5106423F@sonusinmail02.sonusnet.com> <4E6595E7.7060503@skype.net> <4E661C83.5000103@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF510F086B@sonusinmail02.sonusnet.com> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <033458F56EC2A64E8D2D7B759FA3E7E7020E64DC@sonusmail04.sonusnet.com> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <4E6A56D4.2030602@skype .net>
In-Reply-To: <4E6A56D4.2030602@skype.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 18:28:48 -0000

On 09/09/2011 11:11 AM, Matthew Kaufman wrote:
> On 9/9/11 10:47 AM, Alan Johnston wrote:
>>    The default will be SRTP - this can be
>> expressed in SDP without CapNeg.  Should the RTCWEB clients choose to
>> instead negotiate RTP, then this could be done with a second SDP
>> Offer/Answer exchange.
>
> I believe you've just designed a downgrade vulnerability.

 From the CPU perspective, any analogue signal is "insecure" (no matter 
how useful), and the words are interchangeable until something is 
purposely made further insecure or further processed unto digital-only.

Downgrade is recoverable, yet something that leads to collapse of state 
from the VM is not.

-- 
--- http://twitter.com/Dzonatas_Sol ---
Web Development, Software Engineering
Ag-Biotech, Virtual Reality, Consultant