Re: [rtcweb] Encryption mandate

Christopher Blizzard <blizzard@mozilla.com> Thu, 08 September 2011 18:38 UTC

Return-Path: <blizzard@mozilla.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6051721F8B04 for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 11:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.607
X-Spam-Level:
X-Spam-Status: No, score=-1.607 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87G7mf-z0pBk for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 11:38:56 -0700 (PDT)
Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id 034C221F899F for <rtcweb@ietf.org>; Thu, 8 Sep 2011 11:38:56 -0700 (PDT)
Received: from [192.168.43.215] (unknown [206.29.182.149]) (Authenticated sender: blizzard@mozilla.com) by dm-mail03.mozilla.org (Postfix) with ESMTP id 5E1A64AED8D for <rtcweb@ietf.org>; Thu, 8 Sep 2011 11:40:48 -0700 (PDT)
Message-ID: <4E6856A5.9080401@mozilla.com>
Date: Wed, 07 Sep 2011 22:46:13 -0700
From: Christopher Blizzard <blizzard@mozilla.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <89177AB2-F721-47E4-8471-2180EDA10615@voxeo.com> <A444A0F8084434499206E78C106220CA0B00FDB34D@MCHP058A.global-ad.net> <496EE152-41F2-49AB-A136-05735FE5A9F9@voxeo.com> <101C6067BEC68246B0C3F6843BCCC1E31018BF6BE2@MCHP058A.global-ad.net> <4E540FE2.7020605@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF5106423F@sonusinmail02.sonusnet.com> <4E6595E7.7060503@skype.net> <4E661C83.5000103@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF510F086B@sonusinmail02.sonusnet.com> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <033458F56EC2A64E8D2D7B759FA3E7E7020E64DC@sonusmail04.sonusnet.com> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <4E67D1F4.10002@mozilla.com> <4E6808D5.7090709@alum.mit.edu> <95877BC0-B0AA-4B20-9C2E-C16076BBE96E@edvina.net> <CAPms+wSy3b_M97BuvE9wn+hJRVDZA-qJ4XRPTQtdnScPxWpp8w@mail.gmail.com>
In-Reply-To: <CAPms+wSy3b_M97BuvE9wn+hJRVDZA-qJ4XRPTQtdnScPxWpp8w@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Encryption mandate
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 18:38:56 -0000

On 9/8/2011 2:33 AM, Michael Procter wrote:
> Paul, Olle,
>
> Both of you correctly point out that determining when a session is
> secure is a very hard problem - one that is nigh-on impossible except
> for certain restricted scenarios.  But I think we may have missed the
> change of emphasis in Chris' proposed UI change.  Instead of marking a
> session as secure (which is hard to determine), he is suggesting
> marking it as insecure (which is easier!).
>
> If the signalling and media entering and leaving the browser are not
> secured by an appropriate mechanism, then the session should be marked
> as 'insecure'.  If they are secured, then Chris' proposal would have
> no indication on the browser, which intuitively seems to match what we
> know about the session - secure to the server but 'who knows' after
> that.  Whether that is good enough for you will depend on whether you
> trust the service you are using.
>

Yes, this is a great way to put what I was saying.  Thank you!

--Chris