Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com> Mon, 12 September 2011 06:31 UTC
Return-Path: <stefan.lk.hakansson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725F621F849B for <rtcweb@ietfa.amsl.com>; Sun, 11 Sep 2011 23:31:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.314
X-Spam-Level:
X-Spam-Status: No, score=-6.314 tagged_above=-999 required=5 tests=[AWL=-0.015, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0aI+XDBTfGN for <rtcweb@ietfa.amsl.com>; Sun, 11 Sep 2011 23:31:25 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5C221F8487 for <rtcweb@ietf.org>; Sun, 11 Sep 2011 23:31:24 -0700 (PDT)
X-AuditID: c1b4fb39-b7bfdae000005125-b8-4e6da7b6b2ab
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id FF.ED.20773.6B7AD6E4; Mon, 12 Sep 2011 08:33:27 +0200 (CEST)
Received: from [150.132.141.36] (153.88.115.8) by esessmw0237.eemea.ericsson.se (153.88.115.91) with Microsoft SMTP Server id 8.3.137.0; Mon, 12 Sep 2011 08:33:26 +0200
Message-ID: <4E6DA7B6.8020204@ericsson.com>
Date: Mon, 12 Sep 2011 08:33:26 +0200
From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <4E6A56D4.2030602@skype.net> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <4E6A81EC.3080002@jesup.org>, <4E6AE22A.2070106@alum.mit.edu> <7F2072F1E0DE894DA4B517B93C6A05852233C3B7C5@ESESSCMS0356.eemea.ericsson.se>, <4E6C16FF.1000706@jesup.org> <BBF498F2D030E84AB1179E24D1AC41D61C1BCA829D@ESESSCMS0362.eemea.ericsson.se> <4E6CB9F7.2060208@mozilla.com>
In-Reply-To: <4E6CB9F7.2060208@mozilla.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 06:31:26 -0000
I think there is no protection against badly written apps. If the
signaling messages ("SDPs") are not properly protected as an example,
there is another security hole. People not bothering with protecting
media may not bother to protect the signaling either.
I also think the default in my model protection (if the app makes no
input) should be DTLS-SRTP.
Stefan
On 2011-09-11 15:39, Timothy B. Terriberry wrote:
>> * The level of media protection to use (NONE, SDES-SRTP or DTLS-SRTP) should be set by the web app
>
> Why wouldn't this devolve to, "Don't communicate anything. Instead, try
> to create a PeerConnection with DTLS-SRTP, and when that fails, try to
> create a second one with NONE," in the actual webapp.
>
> Or, more likely, since NONE will have a better chance of working with
> legacy devices, "Try to create a PeerConnection with NONE, and when that
> fails, try to create a second one with DTLS-SRTP." Assuming anyone
> bothers with the second step. Having the choice of SDES-SRTP or
> DTLS-SRTP will also make it more likely people won't bother with either,
> as they won't know which one to use. We can try to create incentives
> with browser chrome, but there's only so much that can do.
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Remote recording - RTC-Web client acting… Elwell, John
- Re: [rtcweb] Remote recording - RTC-Web client ac… Stefan Håkansson LK
- Re: [rtcweb] Remote recording - RTC-Web client ac… Ravindran Parthasarathi
- Re: [rtcweb] Remote recording - RTC-Web client ac… Paul Kyzivat
- Re: [rtcweb] Remote recording - RTC-Web client ac… Dan York
- Re: [rtcweb] Remote recording - RTC-Web client ac… Elwell, John
- Re: [rtcweb] Remote recording - RTC-Web client ac… Olle E Johansson
- Re: [rtcweb] Remote recording - RTC-Web client ac… Dan York
- Re: [rtcweb] Remote recording - RTC-Web client ac… Hutton, Andrew
- Re: [rtcweb] Remote recording - RTC-Web client ac… Igor Faynberg
- [rtcweb] SIP MUST NOT be used in browser?[was RE:… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] Remote recording - RTC-Web client ac… Randell Jesup
- Re: [rtcweb] Remote recording - RTC-Web client ac… Elwell, John
- Re: [rtcweb] Remote recording - RTC-Web client ac… Hutton, Andrew
- Re: [rtcweb] Remote recording - RTC-Web client ac… Harald Alvestrand
- Re: [rtcweb] Remote recording - RTC-Web client ac… Dzonatas Sol
- Re: [rtcweb] Remote recording - RTC-Web client ac… Igor Faynberg
- Re: [rtcweb] Remote recording - RTC-Web client ac… Paul Kyzivat
- Re: [rtcweb] Remote recording - RTC-Web client ac… Harald Alvestrand
- Re: [rtcweb] Remote recording - RTC-Web client ac… Elwell, John
- Re: [rtcweb] Remote recording - RTC-Web client ac… Matthew Kaufman
- Re: [rtcweb] Remote recording - RTC-Web client ac… Dzonatas Sol
- Re: [rtcweb] Remote recording - RTC-Web client ac… Ravindran Parthasarathi
- Re: [rtcweb] Remote recording - RTC-Web client ac… Timothy B. Terriberry
- Re: [rtcweb] Remote recording - RTC-Web client ac… Ravindran Parthasarathi
- Re: [rtcweb] Remote recording - RTC-Web client ac… Ravindran Parthasarathi
- Re: [rtcweb] Remote recording - RTC-Web client ac… Matthew Kaufman
- Re: [rtcweb] Remote recording - RTC-Web client ac… Matthew Kaufman
- Re: [rtcweb] Remote recording - RTC-Web client ac… Bernard Aboba
- Re: [rtcweb] Remote recording - RTC-Web client ac… Robert O'Callahan
- Re: [rtcweb] Remote recording - RTC-Web client ac… Robert O'Callahan
- Re: [rtcweb] Remote recording - RTC-Web client ac… Elwell, John
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Asveren, Tolga
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Justin Uberti
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Paul Kyzivat
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Roman Shpount
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Harald Alvestrand
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Markus.Isomaki
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Randell Jesup
- [rtcweb] Encryption mandate Randell Jesup
- Re: [rtcweb] Encryption mandate Olle E. Johansson
- Re: [rtcweb] Encryption mandate Dzonatas Sol
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] Encryption mandate Dzonatas Sol
- Re: [rtcweb] Encryption mandate (and offer/answer) Jonathan Lennox
- Re: [rtcweb] Encryption mandate Christopher Blizzard
- Re: [rtcweb] Encryption mandate Igor Faynberg
- Re: [rtcweb] Encryption mandate Dzonatas Sol
- Re: [rtcweb] Encryption mandate Paul Kyzivat
- Re: [rtcweb] Encryption mandate Igor Faynberg
- Re: [rtcweb] Encryption mandate Randell Jesup
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Matthew Kaufman
- Re: [rtcweb] Encryption mandate (and offer/answer) Randell Jesup
- Re: [rtcweb] Encryption mandate Matthew Kaufman
- Re: [rtcweb] Encryption mandate Randell Jesup
- Re: [rtcweb] Encryption mandate Dzonatas Sol
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Silvia Pfeiffer
- Re: [rtcweb] Encryption mandate Christopher Blizzard
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] Encryption mandate Olle E. Johansson
- Re: [rtcweb] Encryption mandate Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Silvia Pfeiffer
- Re: [rtcweb] Encryption mandate Randell Jesup
- [rtcweb] AVPF [was: Encryption mandate (and offer… Christer Holmberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Harald Alvestrand
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Silvia Pfeiffer
- Re: [rtcweb] Encryption mandate Michael Procter
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Tim Panton
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Olle E. Johansson
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Jonathan Lennox
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Tim Panton
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- [rtcweb] Meeting Bridge and Webex link for Sept 8… Sohel Khan
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Harald Alvestrand
- Re: [rtcweb] Encryption mandate Paul Kyzivat
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Bernard Aboba
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Harald Alvestrand
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] Encryption mandate Paul Kyzivat
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Paul Kyzivat
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] Encryption mandate Christopher Blizzard
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Justin Uberti
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Peter Saint-Andre
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Igor Faynberg
- Re: [rtcweb] SIP MUST NOT be used in browser? Aaron Clauson
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Justin Uberti
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Alan Johnston
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Justin Uberti
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Matthew Kaufman
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Eric Rescorla
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Justin Uberti
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Alan Johnston
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Christer Holmberg
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Christer Holmberg
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Randell Jesup
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Justin Uberti
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Paul Kyzivat
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Olle E. Johansson
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Olle E. Johansson
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Olle E. Johansson
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Matthew Kaufman
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Matthew Kaufman
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Bernard Aboba
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Christer Holmberg
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Paul Kyzivat
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Randell Jesup
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Stefan Håkansson LK
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Hadriel Kaplan
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Timothy B. Terriberry
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dzonatas Sol
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser? Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Roman Shpount
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Roman Shpount
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Stefan Håkansson LK
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Stefan Håkansson LK
- [rtcweb] SIP vs Websocket in RTCWeb [was RE: SIP … Ravindran Parthasarathi
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Matthew Kaufman
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Matthew Kaufman
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… DRAGE, Keith (Keith)
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] SIP vs Websocket in RTCWeb [was RE: … Peter Saint-Andre
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Paul Kyzivat
- Re: [rtcweb] SIP vs Websocket in RTCWeb [was RE: … Dzonatas Sol
- Re: [rtcweb] SIP vs Websocket in RTCWeb [was RE: … Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Jozsef Vass
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Roman Shpount
- Re: [rtcweb] SIP vs Websocket in RTCWeb [was RE: … Peter Saint-Andre
- [rtcweb] signaling protocol SHANMUGALINGAM SIVASOTHY
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Hadriel Kaplan
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Hadriel Kaplan
- Re: [rtcweb] SIP MUST NOT be used in browser? Tim Panton
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Tim Panton
- Re: [rtcweb] SIP MUST NOT be used in browser? Olle E. Johansson
- Re: [rtcweb] SIP MUST NOT be used in browser? Ravindran Parthasarathi
- Re: [rtcweb] SIP MUST NOT be used in browser?[was… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dan Wing
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Tim Panton
- Re: [rtcweb] AVPF [was: Encryption mandate (and o… Dan Wing