Re: [rtcweb] A compromise for SDES

Peter Thatcher <> Mon, 15 July 2013 12:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AAA3821F9FE2 for <>; Mon, 15 Jul 2013 05:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.929
X-Spam-Status: No, score=-1.929 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Iay3-hb0INCF for <>; Mon, 15 Jul 2013 05:47:16 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c03::231]) by (Postfix) with ESMTP id 887DD21F9EAF for <>; Mon, 15 Jul 2013 05:47:16 -0700 (PDT)
Received: by with SMTP id ld11so11075238pab.8 for <>; Mon, 15 Jul 2013 05:47:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1FbEERiIF2zJwO2bvXmiGBGFnp0yWUmHdx8wMfmS1S8=; b=C/boSMt3mKFhvfpDJSpwHd7lUe+uPybpMos6oeecrtxdb1gnLzDu5jnSd1xfHPrLGl /+IkmcKRJ4VmmXEXzp6M2iXRgWbVw8aG4E4WD3FFwnqA4ZeOhihN6+aaXcEClhlflE+c bkU9zHcgvq+DmzyNpdo6NWmwk487gmVfEQokAX+P/vV3xAJG3ALLq4OZFJkKFr1KNT5j EpZr3e4bgTTohyqmIZP9M/EVSSNlTCmAUZ6ecmoLT36PgBK3Xw48k1rCgGMmfAV8K/gO oHj8jHST/VR/4v0gplfU5QjgkFiduzlL/NxML92+wQfHsqEMGOh6kotHl+pjGvJY4e6u u5yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=1FbEERiIF2zJwO2bvXmiGBGFnp0yWUmHdx8wMfmS1S8=; b=L6P1Z78uN+JyBrRZhNULFE7WtNTDJJFUOoGdcec4gBMGKRs87Ax+sOSVahk/vS6Jlp JLKDm9SM8K9Dt8RRH8gi/99/cbqj5SFptWIMsCX+XmgE4EoMUvOT9QqEIicYfbdeEEnF ZH5UoEU8PeoQ1jAeVQtKh9bLuphYUhuBwqDNCJDwhK6z3A5wYVFwm4IogTZpgGx970Wd dOfYjMrSet5c+uFSKg15ZlC/pMWpy0MciWPp//mdaH91D37Jwo8sn3V6AvxMplZUKAei L+xNInX7BSG+N+miP3x8mYYIQ437vHoqA+fTenXOeW2hP0lNnw5fAghwUyVPgo8tC9ao FXJg==
X-Received: by with SMTP id sg8mr55085092pac.45.1373892434364; Mon, 15 Jul 2013 05:47:14 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 15 Jul 2013 05:46:34 -0700 (PDT)
In-Reply-To: <BLU169-W1221AE43EFBADA8B862E43993650@phx.gbl>
References: <> <> <> <> <BLU169-W1221AE43EFBADA8B862E43993650@phx.gbl>
From: Peter Thatcher <>
Date: Mon, 15 Jul 2013 05:46:34 -0700
Message-ID: <>
To: Bernard Aboba <>
Content-Type: multipart/alternative; boundary="047d7b111cff82ace904e18c427f"
X-Gm-Message-State: ALoCoQmSBi++x2T5M2XBEboCr94mcS5r5h108T4HwEn5QqjymgA7YxTliLtnwpMxT12IU/nbOr3mYNgD/pN1tSuTr5JNCHz2UREp2StDPUVycFKZtdJXtG+KsGvIo/kB27SDOaK1zArPZC47NQnQ09N4TqG8Iy4ZuwGM7J7UXKWlIIHBoVLGzkWFRT+TanoXrGDrJWaslAR+
Cc: "" <>
Subject: Re: [rtcweb] A compromise for SDES
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Jul 2013 12:47:17 -0000

On Sat, Jul 13, 2013 at 2:02 PM, Bernard Aboba <>wrote:

> Hadriel --
> I think you've brought up a critical point, which is very worth keeping in
> mind throughout the discussions in IETF RTCWEB.  That is that WebRTC is
> really two distinct innovations -- one, a profile of "RAI 2.0"
> functionality, defining a core set of RTP functionality developed over the
> last decade (e.g. end-to-end security, adaptive HD codecs, AVPF, etc.), and
> the other, a set of Javascript APIs for Web browsers defined by the W3C.   IMHO,
>  the "RAI 2.0" aspect is likely to prove more important (and long-lived)
> than the W3C WEBRTC API aspect.
> Since the "RAI 2.0" profile developed by the IETF RTCWEB WG is likely to
> live on way beyond the useful life of the W3C WEBRTC APIs, it is critical
> that the protocol profiles not be distorted so as to cater to API concerns
> that will be difficult to justify, let alone remember, a decade from now.
> If the damage brought about by an SDP-based API could be restricted
> solely to Web browsers without reflecting itself in expected "on the wire"
> behavior, I would care a lot less about it.  After all, the Internet
> knows how to deal with bad designs -  it just "treats them as damage and
> routes around them".    So to the extent that IETF RTCWEB can contain the
> SDP API swamp we'll all be better off -- and the swamp will be that much
> easier to drain down the road once it becomes clear to all that nobody
> really wants to live in that part of town anyway.

> As you state, the vast majority of customers I talk to are interested
> primarily in the "RAI 2.0" aspects of WebRTC, and only secondarily, if at
> all, in the W3C JS APIs.  Given the displacement of feature phones by
> smartphones, the growth in availability of wireless data as well as the
> increasing availability of connectivity that can support interactive video
> (all areas of very rapid growth over the next few years), the focus of
> realtime communications app developers I talk to is not on browser, but on
> the development of native applications.  And unless HTML5-based approaches
> such as Firefox OS gain traction, that focus is likely to remain.
> Given this, the most frequent request I hear is for a usable mobile SDK
> that can offer protocol compatibility with WebRTC implementations on
> browsers.  To succeed, that mobile SDK had better not look anything like
> the W3C WEBRTC API, and it also better support extensibility.

Chrome's implementation of WebRTC, which can be found at, has a
mobile SDK that can be used to build mobile apps (Android and iOS, at
least).  Some well-known and popular RTC mobile apps are in large part
built on that code and can interop to a degree with browsers.  So in some
sense, you already have what you want.

The big problem is that the high-level API offered by that SDK exactly
matches the one in the browser, which means it's the gross SDP-based one.
 And none of the mobile apps I know, beyond an example app, use that API,
or have plans to, precisely because it's gross.  Instead, as far as I know,
they dig deeper into the code and avoid that part. (why jam everything
through SDP if you don't have to?).

I think the optimal scenario for us to target is to define a good API that
is the same between mobile and web browsers.  I think that would help
developers the most.  Making such a "web and mobile" API is probably out of
scope for any WG, but I think that if we defined a good (non SDP-based) API
for the browser, it could easily be exposed as a native SDK (just like it
is now), but be much less gross and more usable.

I don't know if such a thing (a good API for both mobile and web) can
realistically ever happen, but in the meantime, you can at least pick up
the code at and make a mobile app.  It's open source, too, so if
you want to make a better API than what's there, go ahead and write one :).

In reality, all that the IETF RTCWEB profile defines is the core set of
> functionality -- that set of features that MUST be supported to enable
> interoperability.  However, there is a lot more that a developer might want
> to have available for their particular application.  That might include a
> codec (such as AMR-NB) or a security variant such as SDES/SRTP.   Since as
> you note many developers aren't going to be using the W3C WEBRTC APIs
> anyway, whether those additional functions are supported in the W3C APIs is
> largely irrelevant - and so are discussions about whether this or that
> additional feature needs to be a "SHOULD" or a "MAY".

FYI, the code at supports SDES/SRTP, and while it doesn't have
support for AMR-NB (as far as I know), it does have a system for adding new
codecs, so you could theoretically take an implementation of AMR-NB and
compile it in yourself to make a mobile app.  It may not be very easy, but
it is possible.

> > So given that background, I was planning to propose that the security
> doc keep DTLS-SRTP as the only MTI mechanism for browsers, BUT to add a
> statement that web-based application frameworks SHOULD also support SDES.
> (with text about why and how, etc.)
> >
> > I don't think this is too controversial, because web-based frameworks
> are never beholden to following browser behavior anyway - they're used to
> build a native application, and native applications have a very different
> security/threat model in practice. They're written for a specific purpose,
> and installed by users from known sources for that known purpose.
> Technically, afaik, nothing we do in RTCWEB WG or W3C's WEBRTC group have
> any requirements/mandates for native applications anyway - an app maker
> would just ignore something they don't think applies to them - but I think
> web-based frameworks do generally try to follow W3C models for Javascript
> APIs, and will likely read the IETF RFCs for the media-layer stuff too. So
> I think having this SHOULD statement would be beneficial.
> _______________________________________________
> rtcweb mailing list