Re: [rtcweb] Use case change request: Identity in multiuser calls
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Thu, 11 August 2011 23:01 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271FF21F86BA for <rtcweb@ietfa.amsl.com>; Thu, 11 Aug 2011 16:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.765
X-Spam-Level:
X-Spam-Status: No, score=-6.765 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bup3MZuk--kj for <rtcweb@ietfa.amsl.com>; Thu, 11 Aug 2011 16:00:58 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id 0F44F21F86B3 for <rtcweb@ietf.org>; Thu, 11 Aug 2011 16:00:57 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id p7BN1VtI012896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 11 Aug 2011 18:01:31 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p7BN1US5018485 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 11 Aug 2011 18:01:31 -0500
Received: from [135.244.38.171] (faynberg.lra.lucent.com [135.244.38.171]) by umail.lucent.com (8.13.8/TPES) with ESMTP id p7BN1Tg9018550; Thu, 11 Aug 2011 18:01:29 -0500 (CDT)
Message-ID: <4E445F49.6080705@alcatel-lucent.com>
Date: Thu, 11 Aug 2011 19:01:29 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Henry Sinnreich <henry.sinnreich@gmail.com>
References: <CA69AF47.1CBB0%henry.sinnreich@gmail.com>
In-Reply-To: <CA69AF47.1CBB0%henry.sinnreich@gmail.com>
Content-Type: multipart/alternative; boundary="------------040007060300040702090708"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Cc: rtcweb@ietf.org, Phil Zimmermann <prz@mit.edu>
Subject: Re: [rtcweb] Use case change request: Identity in multiuser calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 23:01:00 -0000
Yes, definitely, this is a good course of action--to discuss it with the authors. To this end, I will piggy-back another question. Do I understand it right that an endpoint would need to share a secret with every other endpoint it would need to authenticate or be authenticated by? If not, how could DH exchange be authenticated (to avoid MiTM)? Igor On 8/11/2011 5:09 PM, Henry Sinnreich wrote: > > So, if we end up with a "trusted MITM," why not have a trusted > central server in the first place? > > draft-johnston-rtcweb-media-privacy-00 says ZRTP can also support > various other scenarios, but how I understand it, no PBX or any > intermediary is required. > The default scenario is e2e. > > Maybe the authors copied here can clarify. > > Thanks, Henry > > > > On 8/11/11 2:39 PM, "Igor Faynberg" <igor.faynberg@alcatel-lucent.com> > wrote: > > Well... > > (I thought that the lawful intercept issue that came up several > times is pertinent here.) But note that this was a parenthetical > remark! > > A non-parenthetical one is based on the quote from the cited draft: > > > "In the development of ZRTP, it was realized that there are scenarios > in which the media can not be encrypted end-to-end. For example, > when a client has a trusted server or PBX which provides media > services in the path. For these cases, ZRTP developed > mechanisms for > handling a "trusted MiTM" which can terminate than reoriginate the > SRTP encryption." > > > So, if we end up with a "trusted MITM," why not have a trusted > central server in the first place? > > Igor > > P.S.: I have nothing against ZRTP, which has done a thorough and > honest job. I question its applicability to the agreed use cases. > Personally I think we need an all-encompassing solution. > > > On 8/11/2011 3:11 PM, Henry Sinnreich wrote: > > > > Henry - what sort of mechanism did you have in mind for > these anonymous > participants to identify themselves to one another? Are > you talking > about the exchange of credentials using the server as an > intermediary in > the exchange? Or did you have in mind an exchange outside > the server. > (E.g. Bob establishes a secure connection to Alice and > over it tells her > "I'm anon2 in conference foo right now"? > > > > The most credible e2e identification that comes to my mind is Phil > Zimmermann's Zfone technology: > > http://www.ietf.org/id/draft-johnston-rtcweb-media-privacy-00.txt > http://zfoneproject.com/ > > Definitely not relying on any "trusted" server :-) > > Thanks, Henry > > On 8/11/11 11:50 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu> > <mailto:pkyzivat@alum.mit.edu> wrote: > > > > On 8/11/11 12:07 PM, Henry Sinnreich wrote: > > > > The participants are identified to > each other by the central server > > > > There may be no contradiction, but just to make sure > the scenario, such as a > confidential business meeting is included (not > necessarily a social network > scenario). > > A confidential conference MUST assure that all > participants can also be > safely identified first to each other, not necessarily > by the server, end to > end, to the full satisfaction of all the participants, > who would otherwise > refuse to continue to speak up or continue to attend > at all. > Who provides for the e2e identification? A 3rd party? > Inside the app? > > Did I understand correctly there is no contradiction? > Any problem in clarifying this? > > > > This is an example of the sort of thing I was speaking of > in my earlier > reply - that there are differing levels of identity that > may be desired. > > In some cases, participants may want to be fully > anonymous. But even > then, it will typically be important that one participant > be able to > identify *which* of the other (anonymous) participants it > is receiving > media from. (E.g. by noting which participant in the > roster is the > current speaker - anon1, anon2, ...) > > In other cases the participants *true* identities are > hidden, but > handles/nicknames may be used to identify them in the > roster and in > chats. ("snoopy" and "red barron" rather than anon1 and > anon2.) > > But in that case there are issues of how the handles are > associated with > participants. It could be that handles are permanently > assigned to real > users by the server. Then you can be confident that when > talking to > "snoopy" it is always someone well defined - same as the > last time - > without awareness of who that person *actually* is. > > Alternatively, the server might allow handles to be used > on a fcfs basis > per conference. Or it might allow handles to be > non-unique, so that you > could have two "snoopy"s at the same time, bound to > unrelated users. > > Henry - what sort of mechanism did you have in mind for > these anonymous > participants to identify themselves to one another? Are > you talking > about the exchange of credentials using the server as an > intermediary in > the exchange? Or did you have in mind an exchange outside > the server. > (E.g. Bob establishes a secure connection to Alice and > over it tells her > "I'm anon2 in conference foo right now"? > > Thanks, > Paul > > > > Thanks, Henry > > > On 8/10/11 9:16 AM, "Harald > Alvestrand"<harald@alvestrand.no> > <mailto:harald@alvestrand.no> wrote: > > > > In draft-ietf-rtcweb-use-cases-and-requirements, I > would like to extend > one part of the scenario "4.3.3 Video conferencing > system with central > server". > > I would like to add one more paragraph: > > "All participant are authenticated by the central > server, and authorized > to connect to the central server. The participants > are identified to > each other by the central server, and the > participants do not have > access to each others' credentials such as e-mail > addresses or login IDs". > > This is necessary in order to drive use cases that > resemble Google > Hangout, where it is a requirement that people are > able to participate > without disclosing their Google login IDs to each > other. > (in the particular case of Hangout, the display > name on their profile > *is* disclosed ... but that's a different matter) > > The reason I think this is important is that it > feeds directly into the > discussion of what WebRTC needs to authorize: The > final source or > destination of media, or the identity of the > handler at the first hop. > In at least the case of Hangouts, the requirement > is to *not* authorize > the final source or destination. > > Not sure yet how to formulate that as a > requirement, and not sure yet if > it applies to the cases without a central server, > such as 4.2.6. We may > have to decide. > > Harald > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > >
- [rtcweb] Use case change request: Identity in mul… Harald Alvestrand
- Re: [rtcweb] Use case change request: Identity in… Paul Kyzivat
- Re: [rtcweb] Use case change request: Identity in… Randell Jesup
- Re: [rtcweb] Use case change request: Identity in… Stefan Håkansson LK
- Re: [rtcweb] Use case change request: Identity in… Harald Alvestrand
- Re: [rtcweb] Use case change request: Identity in… Stefan Håkansson LK
- Re: [rtcweb] Use case change request: Identity in… Harald Alvestrand
- Re: [rtcweb] Use case change request: Identity in… Harald Alvestrand
- Re: [rtcweb] Use case change request: Identity in… Henry Sinnreich
- Re: [rtcweb] Use case change request: Identity in… Paul Kyzivat
- Re: [rtcweb] Use case change request: Identity in… Igor Faynberg
- Re: [rtcweb] Use case change request: Identity in… Henry Sinnreich
- Re: [rtcweb] Use case change request: Identity in… Igor Faynberg
- Re: [rtcweb] Use case change request: Identity in… Henry Sinnreich
- Re: [rtcweb] Use case change request: Identity in… Randell Jesup
- Re: [rtcweb] Use case change request: Identity in… Igor Faynberg
- Re: [rtcweb] Use case change request: Identity in… Paul Kyzivat
- [rtcweb] Exchange of trusted identities in server… Harald Alvestrand
- Re: [rtcweb] Exchange of trusted identities in se… Igor Faynberg
- Re: [rtcweb] Exchange of trusted identities in se… Paul Kyzivat
- Re: [rtcweb] Exchange of trusted identities in se… Alan Johnston
- Re: [rtcweb] Exchange of trusted identities in se… Randell Jesup