Re: [rtcweb] SRTP not mandatory-to-use
Iñaki Baz Castillo <ibc@aliax.net> Wed, 11 January 2012 08:54 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD8E21F84E1 for <rtcweb@ietfa.amsl.com>; Wed, 11 Jan 2012 00:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CHeoosMelZA for <rtcweb@ietfa.amsl.com>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id BAE5E21F84D0 for <rtcweb@ietf.org>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: by vcbfk13 with SMTP id fk13so388130vcb.31 for <rtcweb@ietf.org>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: by 10.220.106.207 with SMTP id y15mr13273322vco.69.1326272062180; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.117.73 with HTTP; Wed, 11 Jan 2012 00:54:01 -0800 (PST)
In-Reply-To: <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com> <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com> <4F01A790.4060704@alvestrand.no> <4F02A061.60905@jesup.org> <E44893DD4E290745BB608EB23FDDB762141EF8@008-AM1MPN1-042.mgdnok.nokia.com> <4F035DD5.3050305@jesup.org> <CAOJ7v-1dziaA_ePCuMxjn6uhBgOH=ZVybUmLBwQi5qiuyOzDMA@mail.gmail.com> <BLU152-W469B2EB104C104547FC42393960@phx.gbl> <CAD5OKxuE0VhSsjKggj1mLOseLeDXarujvAG44yHkuZttagJggw@mail.gmail.com> <CAKhHsXHnT2p7yncha5-BQ=-Lzk3-N+tuijM-UqwfP1mPUi173A@mail.gmail.com> <BLU152-W1140980759D89AC3C1D0CA93940@phx.gbl> <CA+9kkMBdX7YT1tPj5M3VrzAPKa6tXNGZVvvhjW9V4oOEC7g_kA@mail.gmail.com> <CAOJ7v-1_qMoHBb3K7rV=hG9EadqL=xn4KEdG0zdWnKZU9_TipQ@mail.gmail.com> <4AEFFC17-EF17-40F2-B83B-0B0CC44AD2C3@cisco.com> <CAKhHsXEes+Lf+uKdTrjXoy+3PMy2uNumNL-W-0s4_xRXW6FiZg@mail.gmail.com> <4F0CAC8C.8010203@wonderhamster.org> <1D062974A4845E4D8A343C6538049202074ABD3A@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Wed, 11 Jan 2012 09:54:01 +0100
Message-ID: <CALiegfkejnU2rTe-FibUVxTrRS9SivkhGXB5eK+FhD8Vu6iTMA@mail.gmail.com>
To: "Ravindran, Parthasarathi" <pravindran@sonusnet.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 08:54:23 -0000
2012/1/11 Ravindran, Parthasarathi <pravindran@sonusnet.com>: > I agree with you that it is not website trust but also network has to be considered. Please look at this requirement like accessing company intranet service (email, document) from public hotspot or Internet café. Your usecase wherein the deployment will consider security like VPN wherein the (webRTC) application has no need to perform the double encryption. In case accessing company (Enterprise) e-mail in a specific hotspot/public internet care is unsecure, then accessing company WebRTC application is also unsecure. If not, it is perfectly fine to access RTP WebRTC application as the security is ensured in some other layer of the network. It seems that there is no evolution at all in this issue, same arguments as two months ago. AFAIR the main question/problem is: who does decide when to use SRTP or just plain RTP? does such a suggestion come from the web page itself? If so, the user (the human user) can be deceived: "Press the 'Accept unsecure communication' button and you will win a car !!!" The double encryption is not a problem at all. The application (the browser) performs SRTP encryption (no problem here!) and the TCP/IP stack in the computer or in the router performs network encryption. Which is the problem??? There is no problem at all. All of this just seems a poor argument in favour of plain RTP to interoperate with legacy and non secure RTP implementations (and this is the fail of lazy SIP vendors, don't bring that to WebRTC please). Regards. -- Iñaki Baz Castillo <ibc@aliax.net>
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Igor Faynberg
- Re: [rtcweb] SRTP not mandatory-to-use Roy, Radhika R USA CIV (US)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Olle E. Johansson
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Stefan Hakansson LK
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- Re: [rtcweb] SRTP not mandatory-to-use Kevin P. Fleming
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Spencer Dawkins
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- [rtcweb] JSEP draft query [was RE: SRTP not manda… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- [rtcweb] state of libsrtp maintenance? (Re: SRTP … Harald Alvestrand
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Harald Alvestrand
- Re: [rtcweb] SRTP DTLS - SIPit Olle E. Johansson
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Hannes Tschofenig
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] Security analysis of RTCWEB Eric Rescorla
- Re: [rtcweb] Security analysis of RTCWEB Igor Faynberg
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Cullen Jennings