Re: [rtcweb] SRTP not mandatory-to-use

"Ravindran, Parthasarathi" <pravindran@sonusnet.com> Wed, 11 January 2012 01:52 UTC

Return-Path: <pravindran@sonusnet.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2D911E80C2 for <rtcweb@ietfa.amsl.com>; Tue, 10 Jan 2012 17:52:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhhIl6HLTOyc for <rtcweb@ietfa.amsl.com>; Tue, 10 Jan 2012 17:52:42 -0800 (PST)
Received: from mail-ma01.sonusnet.com (sonussf2.sonusnet.com [208.45.178.27]) by ietfa.amsl.com (Postfix) with ESMTP id 6643C11E80BD for <rtcweb@ietf.org>; Tue, 10 Jan 2012 17:52:42 -0800 (PST)
Received: from sonusmail05.sonusnet.com (sonusmail05.sonusnet.com [10.128.32.155]) by sonuspps2.sonusnet.com (8.14.3/8.14.3) with ESMTP id q0B1rKEw023816; Tue, 10 Jan 2012 20:53:20 -0500
Received: from sonusinmail02.sonusnet.com ([10.70.51.30]) by sonusmail05.sonusnet.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 10 Jan 2012 20:52:36 -0500
Received: from INBA-HUB01.sonusnet.com ([10.70.51.86]) by sonusinmail02.sonusnet.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 11 Jan 2012 07:23:29 +0530
Received: from INBA-MAIL02.sonusnet.com ([fe80::f8d4:7090:f632:bbbc]) by inba-hub01.sonusnet.com ([fe80::5cbc:2823:f6cc:9ce7%11]) with mapi id 14.01.0339.001; Wed, 11 Jan 2012 07:23:29 +0530
From: "Ravindran, Parthasarathi" <pravindran@sonusnet.com>
To: Spencer Dawkins <spencer@wonderhamster.org>, Alan Johnston <alan.b.johnston@gmail.com>, Bernard Aboba <bernard_aboba@hotmail.com>, Cullen Jennings <fluffy@cisco.com>
Thread-Topic: [rtcweb] SRTP not mandatory-to-use
Thread-Index: AQHMukWaZz1WoQs1jki8oX3pxLdnppXaxrEAgABFYgCAHbzFAIABKJ2AgABrxICAAHYVgIAALM6AgAAIdgCAAYb4AIAAC4KAgAAizACAAAUogIAAIqeAgADfaQCAAANpAIAIIz8AgACf//A=
Date: Wed, 11 Jan 2012 01:53:28 +0000
Message-ID: <387F9047F55E8C42850AD6B3A7A03C6C01DCE799@inba-mail02.sonusnet.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com> <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com> <4F01A790.4060704@alvestrand.no> <4F02A061.60905@jesup.org> <E44893DD4E290745BB608EB23FDDB762141EF8@008-AM1MPN1-042.mgdnok.nokia.com> <4F035DD5.3050305@jesup.org> <CAOJ7v-1dziaA_ePCuMxjn6uhBgOH=ZVybUmLBwQi5qiuyOzDMA@mail.gmail.com> <BLU152-W469B2EB104C104547FC42393960@phx.gbl> <CAD5OKxuE0VhSsjKggj1mLOseLeDXarujvAG44yHkuZttagJggw@mail.gmail.com> <CAKhHsXHnT2p7yncha5-BQ=-Lzk3-N+tuijM-UqwfP1mPUi173A@mail.gmail.com> <BLU152-W1140980759D89AC3C1D0CA93940@phx.gbl> <CA+9kkMBdX7YT1tPj5M3VrzAPKa6tXNGZVvvhjW9V4oOEC7g_kA@mail.gmail.com> <CAOJ7v-1_qMoHBb3K7rV=hG9EadqL=xn4KEdG0zdWnKZU9_TipQ@mail.gmail.com> <4AEFFC17-EF17-40F2-B83B-0B0CC44AD2C3@cisco.com> <CAKhHsXEes+Lf+uKdTrjXoy+3PMy2uNumNL-W-0s4_xRXW6FiZg@mail.gmail.com> <4F0CAC8C.8010203@wonderhamster.org>
In-Reply-To: <4F0CAC8C.8010203@wonderhamster.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [121.242.142.186]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Jan 2012 01:53:29.0560 (UTC) FILETIME=[D0ED6580:01CCD003]
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 01:52:43 -0000

Hi all,

In case the proposal is to use browser configuration for debugging, it is also possible to allow the configuration for sending RTP with user consent for a specific URL (website) and debugging shall use the same infrastructure.  I have indicated in the another mail thread that 

1) SRTP session is the default in WebRTC (default API value & No configuration)
2) SRTP session is created if JavaScript (JS) API requested for RTP and no configuration in browser for a specific URL
3) SRTP session is created if configuration in browser allows for a URL but JS API does not.
4) RTP session is created if configuration in browser allows for a URL and JS API request for RTP session.

The above proposal is inline with current security trust model wherein webserver is not trusted and user consent is assured for RTP session. This configuration falls under the same category of configuration exception for plug-in, pop-up blocker, JavaScript execution, cookies. This proposal provides flexibility in some of the deployment wherein double encryption shall be avoided or security is assured by non-WebRTC mechanism. The more details are provided in http://www.ietf.org/mail-archive/web/rtcweb/current/msg03108.html.

The point to be noted is that security key management mechanism is not part of the proposal. Let us discuss it separately whether single key management is sufficient (SRTP-DTLS) or multiple key management like ZRTP, SRTP-SDES, SRTP-DTLS is required for WebRTC. 

Please let me know your opinion on this.

Thanks
Partha

>-----Original Message-----
>From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
>Of Spencer Dawkins
>Sent: Wednesday, January 11, 2012 2:54 AM
>To: Alan Johnston
>Cc: rtcweb@ietf.org
>Subject: Re: [rtcweb] SRTP not mandatory-to-use
>
>On 1/5/2012 11:08 AM, Alan Johnston wrote:
>> On Thu, Jan 5, 2012 at 10:56 AM, Cullen Jennings<fluffy@cisco.com>
>wrote:
>>>
>>> On Jan 4, 2012, at 8:36 PM, Justin Uberti wrote:
>>>
>>>>
>>>> This argument about debugging keeps coming up, and although I am not
>persuaded by this argument, it is not a completely unreasonable request.
>However, I don't think this needs to be controllable from JS. One could
>easily imagine a plain-RTP option being available from a developer
>options dialog or console, for use by developers in debugging specific
>problems with their service.
>>>> _______________________________________________
>>>
>>> I think the best solution for the debugging issue is to allow SRTP to
>negotiate a NULL cipher in special cases such as Justin described above.
>This keeps what you are debugging as close as possible to the version
>when debugging is turned off. I like Justin's idea of having to enable
>this in the browser and not having it under JS control.
>>>
>>> Cullen (in my individual contributor role)
>>
>>
>> This seems like the right way to do this.
>>
>> - Alan -
>
>And to me.
>
>So, just to ask the next question ... if we require the use of SRTP and
>allow NULL ciphers (for debugging and whatnot), are there any remaining
>problems with requiring the use of SRTP?
>
>Thanks,
>
>Spencer
>_______________________________________________
>rtcweb mailing list
>rtcweb@ietf.org
>https://www.ietf.org/mailman/listinfo/rtcweb