Re: [rtcweb] Let's define the purpose of WebRTC

"DRAGE, Keith (Keith)" <> Wed, 09 November 2011 13:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C902B21F8C50 for <>; Wed, 9 Nov 2011 05:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.725
X-Spam-Status: No, score=-105.725 tagged_above=-999 required=5 tests=[AWL=-0.377, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_93=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D0eLZQJfa4Hx for <>; Wed, 9 Nov 2011 05:05:17 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4B46921F8C4E for <>; Wed, 9 Nov 2011 05:05:17 -0800 (PST)
Received: from ( []) by (8.14.3/8.14.3/ICT) with ESMTP id pA9D5CAI003948 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 9 Nov 2011 14:05:14 +0100
Received: from ([]) by ([]) with mapi; Wed, 9 Nov 2011 14:04:56 +0100
From: "DRAGE, Keith (Keith)" <>
To: Neil Stratford <>, =?iso-8859-1?Q?I=F1aki_Baz_Castillo?= <>
Date: Wed, 9 Nov 2011 14:04:55 +0100
Thread-Topic: [rtcweb] Let's define the purpose of WebRTC
Thread-Index: Acye3pUFe/nx9KxRT1Oz4agdkhbsQgAAOcfQ
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_EDC0A1AE77C57744B664A310A0B23AE22186AAFDFRMRSSXCHMBSC3d_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.69 on
Cc: "" <>
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Nov 2011 13:05:18 -0000

If you want to be in the world of telecommunications you carry a legacy baggage.

Your proposal to provide a gateway is just one way of dealing with the legacy baggage. It does however carry the downside that you need a player to provide such gateways in support of interworking to the legacy.

Suppose I make an emergency call to a PSAP. The legacy baggage here is that unless someone volunteers to provide all those PSAPs worldwide with new kit, the majority will remain connected to the PSTN (i.e. not even SIP). I need a guarantee that someone out there will provide a gateway. Which player provides that in your business model.


From: [] On Behalf Of Neil Stratford
Sent: 09 November 2011 12:53
To: Iñaki Baz Castillo
Subject: Re: [rtcweb] Let's define the purpose of WebRTC

Wouldn't it be great if we had an opportunity to start from a clean sheet, carry no legacy baggage and design a platform for the future? Isn't that the opportunity presented by WebRTC?

It will always be possible to gateway to legacy SIP devices, even if we have to bridge the media. It seems there is far too much focus on interop and not enough on what is best for the WebRTC platform.


On Wed, Nov 9, 2011 at 11:58 AM, Iñaki Baz Castillo <<>> wrote:
2011/11/9 Muthu Arul Mozhi Perumal (mperumal) <<>>:
> I am thinking we could burn SRTP into the browser such that the decision of whether or not to use SRTP vests solely with the browser.
The "browser" cannot decide that. Probably you mean the user, that
person that in 99.999% of cases does not know what "encryption" or
"SRTP" is, and in 85% of cases does not matter about security.

> If a WebRTC browser is exchanging media with another WebRTC browser they always do SRTP/SRTCP.
The browser has NO way to determine whether it's exchanging media with
another browser or not. And what you state is that, in case the peer
does not annouce support for SRTP then the browser should downgrade
security to plain RTP. The user (web visitor) has no way to know
whether the WebRTC application will contact a WebRTC browser or
another device at the media plane.

> If either side isn't WebRTC compliant they end up with RTP/RTCP.
So no security. Bad.

> This way we don't need to trust the JS, instead trust only the browser.
You mean the user.

> We can also interoperate with legacy devices without taxing them.
Sorry, but WebRTC is about "realtime communications for the Web",
rather than "SIP business coming to the Web". SIP uses RTP, including
RFC's about SRTP. If you want SIP interoperability with a WebRTC
device, then make your work as vendor and add security to your SIP
devices rather than asking no-security for WebRTC.

Please, take a look to XMPP/Jingle !!  They implement SRTP and ICE
from the beginning!! *Do* your homeworks as SIP vendor.

This is a problem of SIP vendors/telcos, this is not a problem of
WebRTC. You should implement SRTP in your legacy and non-secure SIP
devices and make them valid for communication across the open Internet
in which security is a MUST (Internet is not a telco wallen garden).
The main purpose of WebRTC is not to interoperate with insecure
devices, do we all agree here?

I don't support this kind of arguments in favour of non mandating SRTP.

PS: Somebody could argue that, in the Web, neither HTTPS or
WebSocket+TLS is a MUST but optional per website, so why to make SRTP
mandatory? That would be a very different argument I could understand
and discuss about. But forcing a *new* specification to be insecure
just to allow interoperability with non-secure devices is not welcome.
WebRTC is for the Web, not for SIP.

PS: This kind of discussions give the reason to recent comments like
the one from Tim Parton. This WG is too much focused on SIP
vendors/telcos which are not fully interested in RTC communications in
pure Web/Internet environments, but in making the web browsers a new
SIP phone for integratting them into their telco business. Bad.

PS: I'm also interested in interoperability between WebRTC browsers
and SIP devices (as much as you), but I assume that just a few SIP
devices MUST be able to interop with WebRTC (those that have done
their homeworks by implementing SRTP and ICE).

And those discussions are becoming very boring. There are not new
arguments at all. It seems than within next weeks/months, SIP
telcos/vendors will continue requesting not mandatory SRTP just to
facilitate their business without investing in improving their
non-secure devices. This is a no-go.


Iñaki Baz Castillo
rtcweb mailing list<>