IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

Iñaki Baz Castillo <ibc@aliax.net> Wed, 11 January 2012 08:54 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD8E21F84E1 for <rtcweb@ietfa.amsl.com>; Wed, 11 Jan 2012 00:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CHeoosMelZA for <rtcweb@ietfa.amsl.com>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id BAE5E21F84D0 for <rtcweb@ietf.org>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: by vcbfk13 with SMTP id fk13so388130vcb.31 for <rtcweb@ietf.org>; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
Received: by 10.220.106.207 with SMTP id y15mr13273322vco.69.1326272062180; Wed, 11 Jan 2012 00:54:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.117.73 with HTTP; Wed, 11 Jan 2012 00:54:01 -0800 (PST)
In-Reply-To: <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com> <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com> <4F01A790.4060704@alvestrand.no> <4F02A061.60905@jesup.org> <E44893DD4E290745BB608EB23FDDB762141EF8@008-AM1MPN1-042.mgdnok.nokia.com> <4F035DD5.3050305@jesup.org> <CAOJ7v-1dziaA_ePCuMxjn6uhBgOH=ZVybUmLBwQi5qiuyOzDMA@mail.gmail.com> <BLU152-W469B2EB104C104547FC42393960@phx.gbl> <CAD5OKxuE0VhSsjKggj1mLOseLeDXarujvAG44yHkuZttagJggw@mail.gmail.com> <CAKhHsXHnT2p7yncha5-BQ=-Lzk3-N+tuijM-UqwfP1mPUi173A@mail.gmail.com> <BLU152-W1140980759D89AC3C1D0CA93940@phx.gbl> <CA+9kkMBdX7YT1tPj5M3VrzAPKa6tXNGZVvvhjW9V4oOEC7g_kA@mail.gmail.com> <CAOJ7v-1_qMoHBb3K7rV=hG9EadqL=xn4KEdG0zdWnKZU9_TipQ@mail.gmail.com> <4AEFFC17-EF17-40F2-B83B-0B0CC44AD2C3@cisco.com> <CAKhHsXEes+Lf+uKdTrjXoy+3PMy2uNumNL-W-0s4_xRXW6FiZg@mail.gmail.com> <4F0CAC8C.8010203@wonderhamster.org> <1D062974A4845E4D8A343C6538049202074ABD3A@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Wed, 11 Jan 2012 09:54:01 +0100
Message-ID: <CALiegfkejnU2rTe-FibUVxTrRS9SivkhGXB5eK+FhD8Vu6iTMA@mail.gmail.com>
To: "Ravindran, Parthasarathi" <pravindran@sonusnet.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 08:54:23 -0000

2012/1/11 Ravindran, Parthasarathi <pravindran@sonusnet.com>:
> I agree with you that it is not website trust but also network has to be considered. Please look at this requirement like accessing company intranet service (email, document) from public hotspot or Internet café. Your usecase wherein the deployment will consider security like VPN wherein the (webRTC) application has no need to perform the double encryption. In case accessing company (Enterprise) e-mail in a specific hotspot/public internet care is unsecure, then accessing company WebRTC application is also unsecure. If not, it is perfectly fine to access RTP WebRTC application as the security is ensured in some other layer of the network.


It seems that there is no evolution at all in this issue, same
arguments as two months ago.

AFAIR the main question/problem is: who does decide when to use SRTP
or just plain RTP? does such a suggestion come from the web page
itself? If so, the user (the human user) can be deceived:

  "Press the 'Accept unsecure communication' button and you will win a car !!!"

The double encryption is not a problem at all. The application (the
browser) performs SRTP encryption (no problem here!) and the TCP/IP
stack in the computer or in the router performs network encryption.
Which is the problem??? There is no problem at all. All of this just
seems a poor argument in favour of plain RTP to interoperate with
legacy and non secure RTP implementations (and this is the fail of
lazy SIP vendors, don't bring that to WebRTC please).


Regards.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email