IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

<Markus.Isomaki@nokia.com> Wed, 14 December 2011 12:24 UTC

Return-Path: <Markus.Isomaki@nokia.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D802721F8AFE for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 04:24:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nfiWVSyjjjWJ for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 04:24:03 -0800 (PST)
Received: from mgw-da02.nokia.com (smtp.nokia.com [147.243.128.26]) by ietfa.amsl.com (Postfix) with ESMTP id 4759921F8591 for <rtcweb@ietf.org>; Wed, 14 Dec 2011 04:24:02 -0800 (PST)
Received: from vaebh104.NOE.Nokia.com (vaebh104.europe.nokia.com [10.160.244.30]) by mgw-da02.nokia.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id pBECNqcK030348; Wed, 14 Dec 2011 14:23:59 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.56]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 14 Dec 2011 14:23:58 +0200
Received: from 008-AM1MPN1-042.mgdnok.nokia.com ([169.254.2.245]) by 008-AM1MMR1-001.mgdnok.nokia.com ([65.54.30.56]) with mapi id 14.01.0355.003; Wed, 14 Dec 2011 13:23:57 +0100
From: Markus.Isomaki@nokia.com
To: xavier.marjou@gmail.com, rtcweb@ietf.org
Thread-Topic: [rtcweb] SRTP not mandatory-to-use
Thread-Index: AQHMukWLY43bKnjgikyLRdBKEOrBxJXbPqpQ
Date: Wed, 14 Dec 2011 12:23:57 +0000
Message-ID: <E44893DD4E290745BB608EB23FDDB76213419C@008-AM1MPN1-042.mgdnok.nokia.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com>
In-Reply-To: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [88.114.31.241]
Content-Type: multipart/alternative; boundary="_000_E44893DD4E290745BB608EB23FDDB76213419C008AM1MPN1042mgdn_"
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Dec 2011 12:23:58.0571 (UTC) FILETIME=[413563B0:01CCBA5B]
X-Nokia-AV: Clean
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2011 12:24:05 -0000

Hi Xavier,

In your case the VPN use might be good enough from enterprise IT perspective, but not necessarily for individual employees suspicious of their co-workers, or the IT department, for that matter :)

As far as I can tell, the trend in corporate services is towards service-specific end-to-end security and away from L3 VPN type of catch-all solutions. For instance, I'm now connected to my corporate e-mail over TLS and to my corporate VoIP over TLS and SRTP, not having my IPSec VPN on. 5 years ago I could only access those services using the VPN.

Markus


From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of ext Xavier Marjou
Sent: 14 December, 2011 11:48
To: rtcweb@ietf.org
Subject: [rtcweb] SRTP not mandatory-to-use

Hi,

During the last IETF meeting, there seemed to be many people willing to have SRTP mandatory-to-use in the browser. However, I would like again to underline that in some contexts, it is rather desirable to deactivate, via the WebRTC API, the use of SRTP in order not to encrypt/decrypt at multiple layers.

This may be the case in the following example: a company wants to use WebRTC for communications between its co-workers only; the web server and the script using WebRTC API are located on the VPN. In such a case, there is no need to use SRTP. The VPN already provides encryption when needed. If co-workers want to remotely access the VPN, an IPsec tool can already provide the encryption. Furthermore, if they want to remotely access the VPN via a 3G network, there will be encryption at layer 2 using AKA, then IPsec at layer 3, and again at SRTP level if mandatory-to-use.

Cheers,
Xavier

v2.23.0 | Report a Bug | By Email