Re: [rtcweb] Consensus call regarding media security

Iñaki Baz Castillo <ibc@aliax.net> Wed, 28 March 2012 21:12 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F15021F84F2 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 14:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.623
X-Spam-Level:
X-Spam-Status: No, score=-2.623 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJhEvKgarbXT for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 14:12:17 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 26BED21F84EE for <rtcweb@ietf.org>; Wed, 28 Mar 2012 14:12:17 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so1184110vbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 14:12:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=2PhHRRZ7C1C5mJlDtlBAxNNBdYdQfo1nNj3SMqpqeys=; b=ACiP7TreeMI4W0qq5P7PHp2FPI15fm3Yy788Vf0W1KTbW/nGpQcHcQi42CaMt9ryLk gw9MfNHXyARQzoc9G5AyUxgKYszEQr8RW4NnGlcTkB8cxkoUyfUHMjzOuidl8jQdtJ+J 2RV/lYZmLEtIuPWdOnqrGoRSUKh3Y+tOX+Lm4+ccobr4A5a1NPkBv34fXWdKAuYt+N8q qT5qoJjwp7cSIQplQBsj3rZf54hdSEgMH4sKhckfUCozbOb1jinXBBo6PAanAu+Pkg/t pguMQhJWAOui+JFUIQRtcuN5rIno9YthvhZdl1vbf1KuzMQBBmPirQpioxztn1Znet0F jmag==
Received: by 10.52.27.1 with SMTP id p1mr13964674vdg.17.1332969136611; Wed, 28 Mar 2012 14:12:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Wed, 28 Mar 2012 14:11:56 -0700 (PDT)
In-Reply-To: <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com> <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Date: Wed, 28 Mar 2012 23:11:56 +0200
Message-ID: <CALiegfkmckSar175LDYouvPkp0Vm1QCKhmTuiGNnD62QTDhamg@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQlR8VhowzUhnfd//3ybpGK/ed8GRslmEZdJegRFmlUJoSNjzgSlEe8lmuKUS6HW7UmilLpL
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 21:12:18 -0000

2012/3/28 Roman Shpount <roman@telurix.com>om>:
> My main objection is that if an application developer does not take care to
> develop a secure application, nothing you can do on the standard side will
> make it a secure application. If I am building a public voice blog that
> records a voice message that anybody can listen to on the web site security
> is not needed. My assumption is that a fair number of applications would be
> like this. So for such applications this is an unnecessary feature.

In all those scenarios you mention, using security (SRTP) is not *bad*, is it?
The fact that in certain scenarios it could be not needed, it does not
mean that "no security" is better than "security".


> WebRTC will not exist in vacuum. It will communicate with other systems. It
> is not limited to old SIP devices. It can be something new like server side
> speech recognition that is integrated with web application. For such
> application extra code and interop requirements to support security will
> represent a real and significant cost. Any requirement, unless absolutely
> necessary will create barriers to entry for new applications. I would like
> to avoid as many of those as possible.

RFC 3711 was created in 2004, 8 years ago!

Which "new" application you mean if it's not capable of implementing a
simple specification from 2004? how "new" is it? is it really new? or
is it a "SIP voicemail server" made in 2002?


Sorry but I still see *no* argument at all in favour of allowing plain
RTP in WebRTC. And AFAIK there is already consensus about it: plain
RTP is not allowed.


Regards.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>