Re: [rtcweb] Security Architecture: SDES support is a MUST
Harald Alvestrand <harald@alvestrand.no> Fri, 20 July 2012 13:27 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D11D221F85A4 for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:27:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDVuEWkqPNus for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:27:02 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 39C6F21F8596 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 06:27:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 5C84939E179 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:27:57 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XO2b2KoBy-5m for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:27:56 +0200 (CEST)
Received: from [192.168.1.16] (unknown [188.113.88.47]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 3AC0939E091 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:27:56 +0200 (CEST)
Message-ID: <50095CE7.6030202@alvestrand.no>
Date: Fri, 20 Jul 2012 15:28:07 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <201207190742.q6J7glf6008744@vivaldi29.register.it> <500834FE.5040809@alcatel-lucent.com> <500835E1.2070502@infosecurity.ch> <50084717.7060301@alcatel-lucent.com> <BLU169-DS1488EF1F32A1EB2027582093D90@phx.gbl> <5008F7B9.7020804@infosecurity.ch> <500957ED.90807@alvestrand.no> <50095AAC.7030104@infosecurity.ch>
In-Reply-To: <50095AAC.7030104@infosecurity.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 13:27:02 -0000
On 07/20/2012 03:18 PM, Fabio Pietrosanti (naif) wrote: > On 7/20/12 3:06 PM, Harald Alvestrand wrote: >>> Current security definition of WebRTC does not support end-to-end >>> security. >> The current security definition of WebRTC (with DTLS) provides >> fingerprints. >> If the application is able to verify those fingerprints, security is end >> to end; if it isn't - it isn't. > The security specification already does specify how the fingerprint must > be checked, against a third party system that must be trusted (unless > there is some recent update i didn't still checked). > > The way the specification describe fingerprint must be checked, does not > enforce end-to-end security but always rely on trusted third party, > being IdP (identity providers). > > The only way to achieve end-to-end security is not to have any kind of > trusted third party, as has been already discussed on > http://www.ietf.org/mail-archive/web/rtcweb/current/msg04043.html . That link is your request to have SAS considered mandatory. I believe you got some support for that proposal, or at least some kind of availability of digest information that can be verified independently, but I do not believe that you got any support for having SAS be the one and only definition of "end to end security". Thus, you may get support for your real request, but not for the language you use to describe it. > > Until WebRTC security architecture specification does not clearly define > a peer-to-peer fingerprint verification system that does not rely on > trusted third party it cannot be considered to provide end-to-end security. > > Fabio > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Security Architecture: SDES support is a… Domenico Colella
- Re: [rtcweb] Security Architecture: SDES support … Igor Faynberg
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Igor Faynberg
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Roman Shpount
- Re: [rtcweb] Security Architecture: SDES support … Bernard Aboba
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Harald Alvestrand
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Harald Alvestrand
- Re: [rtcweb] Security Architecture: SDES support … Eric Rescorla
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Alan Johnston
- Re: [rtcweb] Security Architecture: SDES support … domenico.colella