IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Tim Panton <tim@phonefromhere.com> Tue, 07 May 2013 08:49 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED5FD21F89B0 for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 01:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BIHdfXqOL6rR for <rtcweb@ietfa.amsl.com>; Tue, 7 May 2013 01:49:38 -0700 (PDT)
Received: from smtp003.apm-internet.net (smtp003.apm-internet.net [85.119.248.52]) by ietfa.amsl.com (Postfix) with ESMTP id 55E5A21F89D5 for <rtcweb@ietf.org>; Tue, 7 May 2013 01:49:37 -0700 (PDT)
Received: (qmail 26304 invoked from network); 7 May 2013 08:49:35 -0000
X-AV-Scan: clean
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp003.apm-internet.net with SMTP; 7 May 2013 08:49:35 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id DB35618A0465; Tue, 7 May 2013 09:49:35 +0100 (BST)
Received: from [192.67.4.33] (unknown [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id B7A9B18A026B; Tue, 7 May 2013 09:49:35 +0100 (BST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="windows-1252"
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <F3005B7CDE1DA5498B794C655CE1641E088481@GENSJZMBX03.msg.int.genesyslab.com>
Date: Tue, 07 May 2013 09:49:38 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA463351-7630-4F9C-ABDC-E79A77158B7D@phonefromhere.com>
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <74300615-2293-4DCE-82A7-475F1A5A8256@gmail.com> <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com> <CALiegfnqW26gEMYNpjJyzu=Nd6z9wCjvZbuY1N2tYvbfQiHyPA@mail.gmail.com> <95219856-8365-4A7E-BD0B-4EECE8868498@phonefromhere.com> <517A820F.9050807@alvestrand.no> <22E6A779-1573-4EDE-82D6-B1A831CE4833@cisco.com> <F3005B7CDE1DA5498B794C655CE1641E088481@GENSJZMBX03.msg.int.genesyslab.com>
To: Henry Lum <Henry.Lum@genesyslab.com>
X-Mailer: Apple Mail (2.1283)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 08:49:45 -0000

On 6 May 2013, at 15:30, Henry Lum wrote:

> Chiming in late.
> 
> Speaking from a contact center perspective, a lot of calls are required to be recorded. In order to allow active recording (such as SIPREC), the contact center has to provide a media endpoint for bridging media so that a copy of the media can be created. The users will have to trust the contact center to handle the media anyways, and the media must be decrypted and re-encrypted by some media element within the contact center to perform recording. To me DTLS-SRTP-EKT does not provide any additional benefit over SDES for this type of use case.

It can provide an identity benefit. A bank contact center can offer an x509 certificate (from a trusted CA) over the DTLS media stream. 
That's a big difference from the web server offering a cert over https - the channel that may be shared with the signalling channel, which in turn 
may have set up the media.

Direct assertion vs 2 uncertain hops.

Of course the utility of that depends on the combined UX of the browser chrome and the site, but at least it is possible...

There should perhaps be some extra chrome 'bling' if the cert that arrives over DTLS matches the HTTPS one that brought the signalling.

T.

v2.23.0 | Report a Bug | By Email