Re: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)

"Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com> Thu, 10 November 2011 07:42 UTC

Return-Path: <mperumal@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33CCD1F0C3F for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 23:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.781
X-Spam-Level:
X-Spam-Status: No, score=-8.781 tagged_above=-999 required=5 tests=[AWL=1.518, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcECZdtR2a+H for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 23:42:47 -0800 (PST)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB3821F845D for <rtcweb@ietf.org>; Wed, 9 Nov 2011 23:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mperumal@cisco.com; l=3078; q=dns/txt; s=iport; t=1320910961; x=1322120561; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=fPG5H8u/+8Cvcj8J1l6/40WoVdCxTOh2UqpgViSEpig=; b=U+dYiQrKJO6m1+dV4VodZJBEno0q4NF4HQhewkwQnMMt9yoLL7VGNSjf /7sVnrYsbtSjgKsNd8ilBH59YwisnTfQIFeUFzWMvxNJYxICk0oy+hjUt J/QsXu4xzrlEHmeTTHhdY4vWPiq0n2MhOqQsoDmLQo/m2MSkjiL8nAfVL s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AswAAGp/u05Io8UT/2dsb2JhbABCmiyPfoEFgXIBAQEEAQEBDwEdPgsMBAIBCBEEAQELBhMEAQYBJh8JCAEBBAEJAQgIEweHaJlyAZ5nBIkbYwSHXi+RWYw8
X-IronPort-AV: E=Sophos;i="4.69,488,1315180800"; d="scan'208";a="59558764"
Received: from bgl-core-4.cisco.com ([72.163.197.19]) by ams-iport-2.cisco.com with ESMTP; 10 Nov 2011 07:42:36 +0000
Received: from xbh-bgl-412.cisco.com (xbh-bgl-412.cisco.com [72.163.129.202]) by bgl-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id pAA7gZuh010484; Thu, 10 Nov 2011 07:42:35 GMT
Received: from xmb-bgl-414.cisco.com ([72.163.129.210]) by xbh-bgl-412.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 10 Nov 2011 13:12:35 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 10 Nov 2011 13:09:40 +0530
Message-ID: <1D062974A4845E4D8A343C653804920206D3BC60@XMB-BGL-414.cisco.com>
In-Reply-To: <4EB79FC2.10400@alvestrand.no>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)
Thread-Index: AcydLKmPjjNtVhmLQauOSPGkAXDjEACTTMuQ
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com><CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <4EB79FC2.10400@alvestrand.no>
From: "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>
To: "Harald Alvestrand" <harald@alvestrand.no>, =?iso-8859-1?Q?Jos=E9_Luis_Mill=E1n?= <jmillan@aliax.net>
X-OriginalArrivalTime: 10 Nov 2011 07:42:35.0131 (UTC) FILETIME=[4FD964B0:01CC9F7C]
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 07:42:48 -0000

|At the moment, draft-ietf-rtcweb-rtp-usage does not contain any
|requirement on SRTP usage (the security section says "A mandatory 
|to implement media security solution will be required to be picked", 
|which I think is a bit weak), and the discussion at the time did not 
|seem to indicate consensus that SRTP must be used always, so I 
|decided to document what we seemed to have consensus on - that SRTP 
|MUST be implemented.

Does it mean:
a. The WebRTC browser MUST implement SRTP, but the WebRTC service/JS needn't use it OR
b. The WebRTC browser and the service/JS MUST implement SRTP, but the user needn't have to use it?

thanks,
Muthu

|-----Original Message-----
|From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of Harald Alvestrand
|Sent: Monday, November 07, 2011 2:37 PM
|To: José Luis Millán
|Cc: <rtcweb@ietf.org>
|Subject: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of
|WebRTC)
|
|On 11/06/2011 10:16 AM, José Luis Millán wrote:
|> draft-ietf-rtcweb-overview-02 downgraded the SRTP concerns from
|> mandatory-to-use to mandatory-to-implement. So if it does not
|> downgrade anymore, a WebRTC implementation (game app, greeting cards
|> website..) will have to implement SRTP.
|>
|> IMHO, if a web service doesn't want to take, or cannot take, the hit
|> for SRTP, WebRTC is not the appropriate solution for such a service.
|>
|Forking this thread, since it's actually about a line in the documents....
|
|in draft-ietf-rtcweb-overview-02, I changed this section:
|
|5.  Data framing and securing
|
|    SRTP [RFC3550] is used for transport of all real-time media.
|
|    The detailed considerations for usage of functions from RTP and SRTP,
|    as well as for non-media real-time data, are given in <WORKING GROUP
|    DRAFT "MEDIA TRANSPORTS">.
|
|into this section:
|
|5.  Data framing and securing
|
|    The format for media transport is RTP [RFC3550].  Implementation of
|    SRTP [RFC3711] is required for all implementations.
|
|    The detailed considerations for usage of functions from RTP and SRTP
|    are given in [I-D.ietf-rtcweb-rtp-usage].  Key negotiation for SRTP
|    is described in <MISSING>.  Transfer of data that is not in RTP
|    format is described in <MISSING>.
|
|At the moment, draft-ietf-rtcweb-rtp-usage does not contain any
|requirement on SRTP usage (the security section says "A mandatory to
|implement media security solution will be required to be picked", which
|I think is a bit weak), and the discussion at the time did not seem to
|indicate consensus that SRTP must be used always, so I decided to
|document what we seemed to have consensus on - that SRTP MUST be
|implemented.
|
|If we have consensus to make it stronger again, I'm happy to change it back.
|
|                   Harald
|
|
|
|_______________________________________________
|rtcweb mailing list
|rtcweb@ietf.org
|https://www.ietf.org/mailman/listinfo/rtcweb