IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Dan Wing <dwing@cisco.com> Tue, 07 May 2013 16:06 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A5621F8F2C for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 09:06:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.999
X-Spam-Level:
X-Spam-Status: No, score=-109.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_111=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grR6O02hRo2y for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 09:06:54 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id ADC7121F8D0D for <rtcweb@ietf.org>; Tue, 7 May 2013 09:06:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2521; q=dns/txt; s=iport; t=1367942814; x=1369152414; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=zSRXmUqYCDj3PSZPmmmZkt3LzQxXkqOIEmWfdDw1quk=; b=dgYhyK0cC8Lnm1legpJQwlJ5YUyiDapkJ4LXU+jEtPTeQfsbffYV45jB COok0nb2p0+f5KUiwI4CcRaGcI4PnjXiS/xtpTwN5aCM4LmyNuKEhlpM1 1lG6GhM8FEKzzN/ffgtr1l9i9lIOdxueGrNhEIDYGudztC5POd/Zpig+d c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ai8FAIkliVGrRDoJ/2dsb2JhbAA6DQmDBze/CYEIFnSCHwEBAQMBeQUHBAsRBAEBARMUB0YJCAYTiAYFsw6OQ41pD4EIMwcGgm5hA4kbikWDT4YXiyCDLhw
X-IronPort-AV: E=Sophos;i="4.87,629,1363132800"; d="scan'208";a="80512949"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-2.cisco.com with ESMTP; 07 May 2013 16:06:53 +0000
Received: from [10.32.240.194] ([10.32.240.194]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r47G6q80023729; Tue, 7 May 2013 16:06:52 GMT
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <F3005B7CDE1DA5498B794C655CE1641E089287@GENSJZMBX03.msg.int.genesyslab.com>
Date: Tue, 07 May 2013 09:06:52 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <65B9872A-12D8-4CD3-85B6-DDCA13652D0C@cisco.com>
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <74300615-2293-4DCE-82A7-475F1A5A8256@gmail.com> <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com> <CALiegfnqW26gEMYNpjJyzu=Nd6z9wCjvZbuY1N2tYvbfQiHyPA@mail.gmail.com> <95219856-8365-4A7E-BD0B-4EECE8868498@phonefromhere.com> <517A820F.9050807@alvestrand.no> <22E6A779-1573-4EDE-82D6-B1A831CE4833@cisco.com> <F3005B7CDE1DA5498B794C655CE1641E088481@GENSJZMBX03.msg.int.genesyslab.com> <EA463351-7630-4F9C-ABDC-E79A77158B7D@phonefromhere.com> <F3005B7CDE1DA5498B794C655CE1641E089287@GENSJZMBX03.msg.int.genesyslab.com>
To: Henry Lum <Henry.Lum@genesyslab.com>
X-Mailer: Apple Mail (2.1503)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 16:06:59 -0000

On May 7, 2013, at 7:55 AM, Henry Lum <Henry.Lum@genesyslab.com> wrote:

> Does the signalling and DTLS media stream need to use the same certificate or the certificates

No, DTLS-SRTP does not require they have the same certificate.  It does require the certificate fingerprint be sent in call signaling (in the SDP a=fingerprint line), and that the certificate exchanged in DTLS match that fingerprint.  This binds the call signaling to the media.

-d


> can be from the same organization right? The contact center gateway and the recording element would be different components and hence have different certificates from the same organization.
> 
> I agree it would be useful for a browser to warn the user that the media stream is coming from a different identity than the signalling if we agree that DTLS is the only transport.
> 
> Regards,
> Henry
> 
> -----Original Message-----
> From: Tim Panton [mailto:tim@phonefromhere.com] 
> Sent: May-07-13 4:50 AM
> To: Henry Lum
> Cc: Dan Wing; Harald Alvestrand; rtcweb@ietf.org
> Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
> 
> 
> On 6 May 2013, at 15:30, Henry Lum wrote:
> 
>> Chiming in late.
>> 
>> Speaking from a contact center perspective, a lot of calls are required to be recorded. In order to allow active recording (such as SIPREC), the contact center has to provide a media endpoint for bridging media so that a copy of the media can be created. The users will have to trust the contact center to handle the media anyways, and the media must be decrypted and re-encrypted by some media element within the contact center to perform recording. To me DTLS-SRTP-EKT does not provide any additional benefit over SDES for this type of use case.
> 
> It can provide an identity benefit. A bank contact center can offer an x509 certificate (from a trusted CA) over the DTLS media stream. 
> That's a big difference from the web server offering a cert over https - the channel that may be shared with the signalling channel, which in turn 
> may have set up the media.
> 
> Direct assertion vs 2 uncertain hops.
> 
> Of course the utility of that depends on the combined UX of the browser chrome and the site, but at least it is possible...
> 
> There should perhaps be some extra chrome 'bling' if the cert that arrives over DTLS matches the HTTPS one that brought the signalling.
> 
> T.
> 
>

v2.23.0 | Report a Bug | By Email