IETF Logo Mail Archive

Re: [rtcweb] Final plea about SRTP

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 04 May 2012 11:53 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53BF921F86F6 for <rtcweb@ietfa.amsl.com>; Fri, 4 May 2012 04:53:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.143
X-Spam-Level:
X-Spam-Status: No, score=-106.143 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTOGWCleYhee for <rtcweb@ietfa.amsl.com>; Fri, 4 May 2012 04:52:59 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 04D7B21F858F for <rtcweb@ietf.org>; Fri, 4 May 2012 04:52:58 -0700 (PDT)
X-AuditID: c1b4fb25-b7b18ae000000dce-fc-4fa3c319ae15
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id DB.05.03534.913C3AF4; Fri, 4 May 2012 13:52:58 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0237.eemea.ericsson.se (153.88.115.91) with Microsoft SMTP Server id 8.3.213.0; Fri, 4 May 2012 13:52:56 +0200
Message-ID: <4FA3C318.4070805@ericsson.com>
Date: Fri, 04 May 2012 13:52:56 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
References: <CAD5OKxtSvdu9gMqfb3ptw5aQJt1NZKLJ1UB_vKRWDXCZurD+1w@mail.gmail.com> <BDA69428-93F2-475B-ABBB-5DE539671DD1@iii.ca> <CAD5OKxs+oZj47DrTSnvaLV7-jNEPOkxjZfJuC5F2fo71kB3-4g@mail.gmail.com> <BLU169-DS251D322307BC173FD221AE932F0@phx.gbl> <CAD5OKxvahkBEs6iVuuyrwuYXzcbKKPvVWL5rx02d6DOhtX_0Cg@mail.gmail.com> <4FA3754D.6020004@ericsson.com> <4FA3776C.5030107@infosecurity.ch>
In-Reply-To: <4FA3776C.5030107@infosecurity.ch>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Final plea about SRTP
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 11:53:00 -0000

Fabio,

Yes the topics you raise are all suitable for continued discussion and
for future determination of what the consensus is on those.

Cheers

Magnus Westerlund
(As WG chair)



On 2012-05-04 08:30, Fabio Pietrosanti (naif) wrote:
> On 5/4/12 8:21 AM, Magnus Westerlund wrote:
>> Hi Roman,
>>
>> In my role as a WG chair I have to say that the decision to make SRTP
>> mandatory to use for WebRTC had a very strong consensus behind it. Yes,
>> there are some few individuals like yourself that are on the rough side
>> of this decision.
>>
>> My personal opinion is that the discussion so far in this thread has
>> raised most of the issues with supporting both. I think the bid-down
>> problem is one of the largest for most people. I also see a great
>> benefit with always using SRTP, in that we will get rid of RTP profile
>> negotiation. There will be no need to support any other RTP profile than
>> SAVPF.
> 
> So next main points to be defined, as far as i understand, is by
> consensus working on key exchange methods that could be more or less:
> - Use only DTLS-SRTP (as it is)
> - Use only DTLS-SRTP-EKT
> - Use DTLS-SRTP + SDES-SRTP
> 
> Other than this i would also suggest to suggest discussing about the
> "Authentication" of the call, that currently with DTLS-SRTP can be:
> - Based on idP (external identity provide)
> - Unauthorized
> 
> I would also introduce the ability to verify the DTLS-SRTP call directly
> and without intermediary (no trusted third party like idP), with methods
> such as SAS.
> 
> That's the only way to achieve the "end-to-end security" property that
> DTLS-SRTP would like to bring in WebRTC standard.
> 
> Otherwise DTLS-SRTP will provide "end-to-end encryption with end-to-site
> security" but NO end-to-end security.
> 
> Fabio
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
> 
> 


-- 

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.14.0 | Report a Bug | By Email