Re: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

On 2011-11-07 10:07, Harald Alvestrand wrote:
>
> At the moment, draft-ietf-rtcweb-rtp-usage does not contain any 
> requirement on SRTP usage (the security section says "A mandatory to 
> implement media security solution will be required to be picked", which 
> I think is a bit weak), and the discussion at the time did not seem to 
> indicate consensus that SRTP must be used always, so I decided to 
> document what we seemed to have consensus on - that SRTP MUST be 
> implemented.

Yes, we haven't spent much time on the security consideration section
yet. "A mandatory to implement media security solution will be required
to be picked" is pointer at this WG not the implementor.

I would also point at our Charter that in its last paragraph says:
"The products of the working group will support security and keying as
required by BCP 61"

If you haven't read BCP 61 you probably should. It is basically says two
things. IETF should pick strong security and it shall be MANDATORY to
IMPLEMENT. I at least as chair will ensure that we have fulfilled this.
And that means for RTP not only encryption and integrity protection,
probably SRTP, but also a keying method.

Yes, we (authors of draft-ietf-rtcweb-rtp-usage) will write that SRTP is
a MUST implement as soon as we have that consensus established. But we
will need a keying scheme also and determine where it should be documented.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------