Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com> Mon, 12 September 2011 06:31 UTC

Return-Path: <stefan.lk.hakansson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725F621F849B for <rtcweb@ietfa.amsl.com>; Sun, 11 Sep 2011 23:31:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.314
X-Spam-Level:
X-Spam-Status: No, score=-6.314 tagged_above=-999 required=5 tests=[AWL=-0.015, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0aI+XDBTfGN for <rtcweb@ietfa.amsl.com>; Sun, 11 Sep 2011 23:31:25 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5C221F8487 for <rtcweb@ietf.org>; Sun, 11 Sep 2011 23:31:24 -0700 (PDT)
X-AuditID: c1b4fb39-b7bfdae000005125-b8-4e6da7b6b2ab
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id FF.ED.20773.6B7AD6E4; Mon, 12 Sep 2011 08:33:27 +0200 (CEST)
Received: from [150.132.141.36] (153.88.115.8) by esessmw0237.eemea.ericsson.se (153.88.115.91) with Microsoft SMTP Server id 8.3.137.0; Mon, 12 Sep 2011 08:33:26 +0200
Message-ID: <4E6DA7B6.8020204@ericsson.com>
Date: Mon, 12 Sep 2011 08:33:26 +0200
From: =?ISO-8859-1?Q?Stefan_H=E5kansson_LK?= <stefan.lk.hakansson@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <4E6A56D4.2030602@skype.net> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <4E6A81EC.3080002@jesup.org>, <4E6AE22A.2070106@alum.mit.edu> <7F2072F1E0DE894DA4B517B93C6A05852233C3B7C5@ESESSCMS0356.eemea.ericsson.se>, <4E6C16FF.1000706@jesup.org> <BBF498F2D030E84AB1179E24D1AC41D61C1BCA829D@ESESSCMS0362.eemea.ericsson.se> <4E6CB9F7.2060208@mozilla.com>
In-Reply-To: <4E6CB9F7.2060208@mozilla.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 06:31:26 -0000

I think there is no protection against badly written apps. If the 
signaling messages ("SDPs") are not properly protected as an example, 
there is another security hole. People not bothering with protecting 
media may not bother to protect the signaling either.

I also think the default in my model protection (if the app makes no 
input) should be DTLS-SRTP.

Stefan


On 2011-09-11 15:39, Timothy B. Terriberry wrote:
>> * The level of media protection to use (NONE, SDES-SRTP or DTLS-SRTP) should be set by the web app
>
> Why wouldn't this devolve to, "Don't communicate anything. Instead, try
> to create a PeerConnection with DTLS-SRTP, and when that fails, try to
> create a second one with NONE," in the actual webapp.
>
> Or, more likely, since NONE will have a better chance of working with
> legacy devices, "Try to create a PeerConnection with NONE, and when that
> fails, try to create a second one with DTLS-SRTP." Assuming anyone
> bothers with the second step. Having the choice of SDES-SRTP or
> DTLS-SRTP will also make it more likely people won't bother with either,
> as they won't know which one to use. We can try to create incentives
> with browser chrome, but there's only so much that can do.
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb