Re: [rtcweb] Final plea about SRTP
Roman Shpount <roman@telurix.com> Fri, 04 May 2012 17:45 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D12D621E802C for <rtcweb@ietfa.amsl.com>; Fri, 4 May 2012 10:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.876
X-Spam-Level:
X-Spam-Status: No, score=-2.876 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08wMI-dENxIX for <rtcweb@ietfa.amsl.com>; Fri, 4 May 2012 10:45:51 -0700 (PDT)
Received: from mail-pz0-f52.google.com (mail-pz0-f52.google.com [209.85.210.52]) by ietfa.amsl.com (Postfix) with ESMTP id 574A321E801C for <rtcweb@ietf.org>; Fri, 4 May 2012 10:45:51 -0700 (PDT)
Received: by dadz9 with SMTP id z9so4968953dad.39 for <rtcweb@ietf.org>; Fri, 04 May 2012 10:45:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=qB/Omk+JNDvbzkorH4SSoTN3qDEoBROSusSvpk7Cvtw=; b=VzkxlcoatbG0tsDkEqXkXBESvGgkHXDVHx7o8WMcc60zRErj5enKMDZfAsS2ajk+M5 QeWhJX/wpONKjmKXYSHNzsQan95Z1IWfgpAQO3Q7Sqo7Y82fRvv1CKSLN4faVZhpqlB6 9rkKfd2f0+NrJxaDkUE+Vm4NvPa1EnCm68bCUJ1Z7VHMYCvsHAQzeLlBxYG/7TZvr6Ty ARrDL3+KIFgmd3/oBspwIbzx/pI+X+rqN1y86GU8Mc5+evpF+OuhVOa30B/jEbuRz6Wp 4lGeKUuhW0JMWE0D9ZNukuMuPWwy/Y6O9KVZ1p4QC3LEVELDfTxeMPtATXAB4cJN11Hq 967g==
Received: by 10.68.223.67 with SMTP id qs3mr20851719pbc.142.1336153548479; Fri, 04 May 2012 10:45:48 -0700 (PDT)
Received: from mail-pz0-f52.google.com (mail-pz0-f52.google.com [209.85.210.52]) by mx.google.com with ESMTPS id hq1sm485459pbc.63.2012.05.04.10.45.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 May 2012 10:45:47 -0700 (PDT)
Received: by dadz9 with SMTP id z9so4968821dad.39 for <rtcweb@ietf.org>; Fri, 04 May 2012 10:45:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.194.1 with SMTP id hs1mr20434104pbc.6.1336153546280; Fri, 04 May 2012 10:45:46 -0700 (PDT)
Received: by 10.68.134.168 with HTTP; Fri, 4 May 2012 10:45:46 -0700 (PDT)
In-Reply-To: <4FA40C0F.3000702@jesup.org>
References: <CAD5OKxtSvdu9gMqfb3ptw5aQJt1NZKLJ1UB_vKRWDXCZurD+1w@mail.gmail.com> <BDA69428-93F2-475B-ABBB-5DE539671DD1@iii.ca> <CAD5OKxs+oZj47DrTSnvaLV7-jNEPOkxjZfJuC5F2fo71kB3-4g@mail.gmail.com> <BLU169-DS251D322307BC173FD221AE932F0@phx.gbl> <CAD5OKxvahkBEs6iVuuyrwuYXzcbKKPvVWL5rx02d6DOhtX_0Cg@mail.gmail.com> <4FA3754D.6020004@ericsson.com> <CAD5OKxs3zhxecnXCjsbKzeWNvyJCUy_31pnXKv+orT-T6-FtLg@mail.gmail.com> <4FA40C0F.3000702@jesup.org>
Date: Fri, 04 May 2012 13:45:46 -0400
Message-ID: <CAD5OKxtJzp-eA_9BpaX1ekt7LwNbQsJcyfEYytwTLXCffUZcGA@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Randell Jesup <randell-ietf@jesup.org>
Content-Type: multipart/alternative; boundary="047d7b15b1717dd00f04bf397d76"
X-Gm-Message-State: ALoCoQlWHYMvtOq5cvgXwkJ8DpfA5YH4l6mKXGu8OxgnULJgOwdtKzC163x8TNHSDhEhrlArGp9Z
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Final plea about SRTP
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 17:45:51 -0000
On Fri, May 4, 2012 at 1:04 PM, Randell Jesup <randell-ietf@jesup.org>wrote: > You forget that bid-down includes bid-downs by the JS or server (which are > not trusted in our model), not just by on-path attackers. > If your session is initiated by HTTPS, using RTP should not be an option (the same way as using HTTP from HTTPS is not normally an option). If your session is HTTP, whole application can be spoofed, so there is no security to begin with. I used to work on hardware endpoints that have been using SAVPF since 2004, > with hundreds of thousands of units in the field. > I thought SAVPF was only standardized in 2008 and AVPF was standardized in 2006. AVPF was discussed for a while though, so I would assumed you worked with something that implemented one of the drafts... _____________ Roman Shpount
- [rtcweb] Final plea about SRTP Roman Shpount
- Re: [rtcweb] Final plea about SRTP Cullen Jennings
- Re: [rtcweb] Final plea about SRTP Roman Shpount
- Re: [rtcweb] Final plea about SRTP Bernard Aboba
- Re: [rtcweb] Final plea about SRTP Roman Shpount
- Re: [rtcweb] Final plea about SRTP jesse
- [rtcweb] SAVPF history (Re: Final plea about SRTP) Harald Alvestrand
- Re: [rtcweb] Final plea about SRTP Magnus Westerlund
- Re: [rtcweb] Final plea about SRTP Fabio Pietrosanti (naif)
- Re: [rtcweb] Final plea about SRTP Magnus Westerlund
- Re: [rtcweb] Final plea about SRTP Roman Shpount
- Re: [rtcweb] Final plea about SRTP Randell Jesup
- Re: [rtcweb] Final plea about SRTP Roman Shpount
- Re: [rtcweb] SAVPF history (Re: Final plea about … Roman Shpount
- Re: [rtcweb] SAVPF history (Re: Final plea about … Magnus Westerlund
- Re: [rtcweb] SAVPF history (Re: Final plea about … Randell Jesup