Re: [rtcweb] URI schemes for TURN and STUN
Eric Rescorla <ekr@rtfm.com> Thu, 03 November 2011 19:54 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF3011E80AE; Thu, 3 Nov 2011 12:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d5haqR-opkEd; Thu, 3 Nov 2011 12:54:05 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5927321F843B; Thu, 3 Nov 2011 12:54:05 -0700 (PDT)
Received: by ywt2 with SMTP id 2so1942922ywt.31 for <multiple recipients>; Thu, 03 Nov 2011 12:54:05 -0700 (PDT)
Received: by 10.146.137.34 with SMTP id k34mr2671990yad.26.1320349431235; Thu, 03 Nov 2011 12:43:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.146.232.12 with HTTP; Thu, 3 Nov 2011 12:43:10 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <ADADD239-10D3-49C1-BA4E-6380E99E9246@network-heretics.com>
References: <4EAC6BF4.2000604@alvestrand.no> <CALiegf=f4kFzyDLWK+Y5vbuCEJFXX590+VuZ4bbnHZnvX0CoBA@mail.gmail.com> <4EAC8AE0.3020307@acm.org> <4EACD558.1050003@alvestrand.no> <4EAE157F.5020901@it.aoyama.ac.jp> <4EAEB76B.9090304@acm.org> <8B0C4061-D362-4DFE-9677-7E64515A6E1C@network-heretics.com> <4EAF9391.5040209@it.aoyama.ac.jp> <5B7AE760-DBD1-46F9-89D9-E8F7CA56F111@network-heretics.com> <CABcZeBNDW=29ufn0FkObm1prqu6_PjX9CBJq8_UOdzom7pD5gg@mail.gmail.com> <ADADD239-10D3-49C1-BA4E-6380E99E9246@network-heretics.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 Nov 2011 12:43:10 -0700
Message-ID: <CABcZeBPz8zjTX5NtZF4bLX0a5qyDN6gJYLthzqBZ7iCTS19BzQ@mail.gmail.com>
To: Keith Moore <moore@network-heretics.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Keith Moore <moore@cs.utk.edu>, "rtcweb@ietf.org" <rtcweb@ietf.org>, Ned Freed <ned.freed@mrochek.com>, Behave WG <behave@ietf.org>
Subject: Re: [rtcweb] URI schemes for TURN and STUN
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 19:54:06 -0000
On Thu, Nov 3, 2011 at 12:29 PM, Keith Moore <moore@network-heretics.com> wrote: > > On Nov 3, 2011, at 2:58 PM, Eric Rescorla wrote: > >> On Tue, Nov 1, 2011 at 5:05 AM, Keith Moore <moore@network-heretics.com> wrote: >>>> In most cases probably not. But there may be cases similar to HTTP/S where it makes sense. Each case has to be analyzed independently. >>> >>> agree. I just don't think it's a good idea to establish a new _convention_. >> >> i don't really understand what you're arguing here. >> >> The relevant issue is that we want to have a reference that Bob can provide >> to Alice that guarantees that when it's dereferenced it provides a minimum >> set of security properties. >> >> Let's imagine some hypothetical new protocol which is like HTTP but not HTTP, >> say HTTQ. It runs over TCP so you can use it directly or over TLS (i.e., >> HTTP/TCP or HTTP/TLS/TCP). We're planning to define a new URI for it, >> httq://.../. How do you propose to provide the above security property? > > If you're going to define a new protocol, it should always use TLS (or it should always provide a minimum set of security properties). Then you define a single URI type for the new protocol, and it doesn't need the security flag. OK. I agree with this. > It's only when you're trying to retro-fit security into an existing protocol that is already widely used, doesn't inherently provide a reasonable level of security for that application, and the security isn't securely negotiated in-band, that you need a security flag in the URI. Sure. > More generally, the right place to set the minimum security level is in the application, not in the name of the resource. The reason you need https vs. http is that the two are really different protocols, and the client has to know a priori whether to send "GET..." or to negotiate the TLS layer after the TCP open completes. I don't agree with this, however. The reason you need https: versus http: is that it's the server providing the reference and it's the only one that knows whether the resource is to be accessed over TLS or not. As a point of historical trivia, the initial use of this general convention wasn't https:// but rather shttp://, and the intent of the originator, Allan Schiffman, was to make it impossible for a non-Secure HTTP capable client to accidentally reference via HTTP a resource which should be secure. -Ekr
- Re: [rtcweb] URI schemes for TURN and STUN Martin J. Dürst
- Re: [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- Re: [rtcweb] URI schemes for TURN and STUN Iñaki Baz Castillo
- Re: [rtcweb] URI schemes for TURN and STUN Marc Petit-Huguenin
- Re: [rtcweb] URI schemes for TURN and STUN Iñaki Baz Castillo
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Martin J. Dürst
- Re: [rtcweb] URI schemes for TURN and STUN Cullen Jennings
- Re: [rtcweb] URI schemes for TURN and STUN Bernard Aboba
- Re: [rtcweb] URI schemes for TURN and STUN Marc Petit-Huguenin
- Re: [rtcweb] URI schemes for TURN and STUN Martin J. Dürst
- Re: [rtcweb] URI schemes for TURN and STUN Magnus Westerlund
- Re: [rtcweb] URI schemes for TURN and STUN Marc Petit-Huguenin
- Re: [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- Re: [rtcweb] URI schemes for TURN and STUN Keith Moore
- Re: [rtcweb] URI schemes for TURN and STUN Keith Moore
- Re: [rtcweb] URI schemes for TURN and STUN Keith Moore
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Keith Moore
- Re: [rtcweb] URI schemes for TURN and STUN Keith Moore
- Re: [rtcweb] URI schemes for TURN and STUN Ned Freed
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Dan Wing
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Dan Wing
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] URI schemes for TURN and STUN Dan Wing
- Re: [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Gonzalo Salgueiro
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Gonzalo Salgueiro
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] URI schemes for TURN and STUN Eric Rescorla
- Re: [rtcweb] URI schemes for TURN and STUN Bjoern Hoehrmann
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Harald Alvestrand
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Harald Alvestrand
- Re: [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- Re: [rtcweb] URI schemes for TURN and STUN Iñaki Baz Castillo
- Re: [rtcweb] URI schemes for TURN and STUN Harald Alvestrand
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Marc Petit-Huguenin
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Gonzalo Salgueiro
- Re: [rtcweb] [BEHAVE] URI schemes for TURN and ST… Tina TSOU