Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Matthew Kaufman <matthew.kaufman@skype.net> Mon, 12 September 2011 07:40 UTC

Return-Path: <matthew.kaufman@skype.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20C621F8672 for <rtcweb@ietfa.amsl.com>; Mon, 12 Sep 2011 00:40:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxrQxo9sbBKY for <rtcweb@ietfa.amsl.com>; Mon, 12 Sep 2011 00:40:45 -0700 (PDT)
Received: from mx.skype.net (mx.skype.net [78.141.177.88]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE2821F8663 for <rtcweb@ietf.org>; Mon, 12 Sep 2011 00:40:45 -0700 (PDT)
Received: from mx.skype.net (localhost [127.0.0.1]) by mx.skype.net (Postfix) with ESMTP id A2EEA16E2; Mon, 12 Sep 2011 09:42:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=skype.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=mx; bh=3af6QI2JSfds/0 cm/JoLJ2J6wUI=; b=LG1NmPosf+ByeFhA1tYjVkD7zudWK/CklPyuVMZnw8gTa7 zAxPo3TFiCGficJCKTTj0QDsTLbFSjSCi817oSwBb2QMrrpTNTd/s/H0hExcb9if v7toFLpyuTdcIMsSa6BKXmwouAgNshx5TbwtiTvLzVV9w22cpW0xtoY7Vfifo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=skype.net; h=message-id:date:from :mime-version:to:cc:subject:references:in-reply-to:content-type: content-transfer-encoding; q=dns; s=mx; b=C2jnAlfg105B+R1F1Y6C0F XznDvUa3A0RQBazkJL8H4Cu4FdftGkxV5KqgAYaNdJC8eNDPsh6h9bcM6SvULzh4 AjE2TKC0b9CzPs/oaO72hqGNTMQEusNlMmc0XI5EwOcmq9Yo22LHlI6SvxwD8C/g M9jPIeIAh0d8iAVl/6gZc=
Received: from zimbra.skype.net (zimbra.skype.net [78.141.177.82]) by mx.skype.net (Postfix) with ESMTP id A14997F8; Mon, 12 Sep 2011 09:42:46 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by zimbra.skype.net (Postfix) with ESMTP id 87D0835070B5; Mon, 12 Sep 2011 09:42:46 +0200 (CEST)
X-Virus-Scanned: amavisd-new at lu2-zimbra.skype.net
Received: from zimbra.skype.net ([127.0.0.1]) by localhost (zimbra.skype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hA+pZzH76Yz; Mon, 12 Sep 2011 09:42:45 +0200 (CEST)
Received: from Matthew-Kaufman-Air.local (c-217-115-41-36.cust.bredband2.com [217.115.41.36]) by zimbra.skype.net (Postfix) with ESMTPSA id 973AD350704F; Mon, 12 Sep 2011 09:42:45 +0200 (CEST)
Message-ID: <4E6DB7F4.3090404@skype.net>
Date: Mon, 12 Sep 2011 09:42:44 +0200
From: Matthew Kaufman <matthew.kaufman@skype.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: "Timothy B. Terriberry" <tterriberry@mozilla.com>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <4E6A56D4.2030602@skype.net> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <4E6A81EC.3080002@jesup.org>, <4E6AE22A.2070106@alum.mit.edu> <7F2072F1E0DE894DA4B517B93C6A05852233C3B7C5@ESESSCMS0356.eemea.ericsson.se>, <4E6C16FF.1000706@jesup.org> <BBF498F2D030E84AB1179E24D1AC41D61C1BCA829D@ESESSCMS0362.eemea.ericsson.se> <4E6CB9F7.2060208@mozilla.com>
In-Reply-To: <4E6CB9F7.2060208@mozilla.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 07:40:47 -0000

On 9/11/11 3:39 PM, Timothy B. Terriberry wrote:
>> * The level of media protection to use (NONE, SDES-SRTP or DTLS-SRTP) 
>> should be set by the web app
>
> Why wouldn't this devolve to, "Don't communicate anything. Instead, 
> try to create a PeerConnection with DTLS-SRTP, and when that fails, 
> try to create a second one with NONE," in the actual webapp.

Yes.

>
> Or, more likely, since NONE will have a better chance of working with 
> legacy devices, "Try to create a PeerConnection with NONE, and when 
> that fails, try to create a second one with DTLS-SRTP." Assuming 
> anyone bothers with the second step. 

Yes, I believe this is why ekr suggested in his email that 
DTLS-SRTP-only is more likely to result in encrypted connections than 
having both choices available is.

> Having the choice of SDES-SRTP or DTLS-SRTP will also make it more 
> likely people won't bother with either, as they won't know which one 
> to use.

Agree. This is the best reason for not supporting SDES for keying.
> We can try to create incentives with browser chrome, but there's only 
> so much that can do.
Agree.

The best way to evaluate this is "if I was the one sitting in a cafe 
using this, what would I want my browser to do"... and the answer to 
*that* question is "I always want DTLS-SRTP between my browser and the 
other end, or worst case, the gateway". (Even if there seem to be good 
reasons to support plain RTP.)

Matthew Kaufman