IETF Logo Mail Archive

Re: [rtcweb] Security Architecture: SDES support is a MUST

Bernard Aboba <bernard_aboba@hotmail.com> Thu, 19 July 2012 20:40 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1021A11E8086 for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 13:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.389
X-Spam-Level:
X-Spam-Status: No, score=-102.389 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2vcmGP8t7dv for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 13:40:02 -0700 (PDT)
Received: from blu0-omc2-s12.blu0.hotmail.com (blu0-omc2-s12.blu0.hotmail.com [65.55.111.87]) by ietfa.amsl.com (Postfix) with ESMTP id 420FC21F8634 for <rtcweb@ietf.org>; Thu, 19 Jul 2012 13:40:02 -0700 (PDT)
Received: from BLU169-DS14 ([65.55.111.73]) by blu0-omc2-s12.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 19 Jul 2012 13:40:56 -0700
X-Originating-IP: [131.107.0.87]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU169-DS1488EF1F32A1EB2027582093D90@phx.gbl>
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: igor.faynberg@alcatel-lucent.com, rtcweb@ietf.org
References: <201207190742.q6J7glf6008744@vivaldi29.register.it> <500834FE.5040809@alcatel-lucent.com> <500835E1.2070502@infosecurity.ch> <50084717.7060301@alcatel-lucent.com>
In-Reply-To: <50084717.7060301@alcatel-lucent.com>
Date: Thu, 19 Jul 2012 13:40:54 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIXSOwIWv2p57H8l8mK12N1m7gdrwHW/w4JAX8XnSgA5ExXypZ7d3Xg
Content-Language: en-us
X-OriginalArrivalTime: 19 Jul 2012 20:40:56.0068 (UTC) FILETIME=[CBDFDC40:01CD65EE]
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 20:40:03 -0000

Self-signed certificates are only appropriate for a subset of scenarios.  Do
we expect IdP to be widely deployed in high security scenarios for
government, financial or medical applications?  I do not.
  
Do we expect a call center to utilize IdP with a self-signed certificate?
More likely is that they will utilize a certificate chaining to a trust
anchor. 

-----Original Message-----
From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of
Igor Faynberg
Sent: Thursday, July 19, 2012 10:43 AM
To: rtcweb@ietf.org
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST

If both parties have certificates, DTLS will provide end-to-end security.
(I have not yet heard a convincing argument why  the certificates--I mean
not self-signed ones--cannot be used.)  And if the parties share a key, DTLS
will work, too.

Igor

v2.23.0 | Report a Bug | By Email