Re: [rtcweb] Let's define the purpose of WebRTC

Hadriel Kaplan <> Thu, 10 November 2011 19:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D093821F8ACE for <>; Thu, 10 Nov 2011 11:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.315
X-Spam-Status: No, score=-2.315 tagged_above=-999 required=5 tests=[AWL=-0.016, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t0l72wJcgCTW for <>; Thu, 10 Nov 2011 11:47:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E2FD221F84FB for <>; Thu, 10 Nov 2011 11:47:21 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 10 Nov 2011 14:47:19 -0500
Received: from ([]) by ([]) with mapi id 14.01.0270.001; Thu, 10 Nov 2011 14:47:20 -0500
From: Hadriel Kaplan <>
To: =?iso-8859-1?Q?I=F1aki_Baz_Castillo?= <>
Thread-Topic: [rtcweb] Let's define the purpose of WebRTC
Thread-Index: AQHMn+GOqLofpooW1EaoUUdNIhGp3Q==
Date: Thu, 10 Nov 2011 19:47:19 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<>" <>
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Nov 2011 19:47:22 -0000

On Nov 9, 2011, at 10:05 AM, Iñaki Baz Castillo wrote:

> Implementing SRTP is really easier and cheap. There is no reason at
> all not to mandate it in a new specification, even less when it's
> designed to work in the open (and untrusted) Internet.
> So bad luck. You, telcos, have the specs and the tools to upgrade your
> non-secure SIP devices. Do it.

Several people have made this SRTP discussion into a "Telco" issue, and I don't think it is.  First, because if a Telco doesn't care about securing the media, they'll likely put the burden of making it plaintext RTP on the WebRTC domain owner, so it still won't be "their problem".  But more importantly, because I expect a lot of Telco's to actually *require* WebRTC media communications to/from them be secure in some fashion or other, specifically because it can be run to/from anywhere on the public Internet. [they won't do SRTP all the way to their own SIP endpoints, but that doesn't matter]  

So for Telco's I don't think mandating SRTP be used is a non-starter, though the form of key exchange might be a big sticking point.

But something to consider is if doing SRTP is a burden or not on web applications that know a priori that they don't need it.  In particular I mean ones that need to use media servers so it's not simply browser-to-browser, and they use HTTP because their use-case isn't one of a sensitive nature.  

p.s. BTW, I didn't mean to start a religious war on this topic - I was just pointing out that a requirement to use ICE and a requirement to use SRTP aren't tied together, and that we need to still get consensus on mandating SRTP to-use vs. only to-implement.