Re: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)

Harald Alvestrand <harald@alvestrand.no> Thu, 10 November 2011 08:34 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 829F121F8770 for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 00:34:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.557
X-Spam-Level:
X-Spam-Status: No, score=-110.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OgRhk6-FZaeK for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 00:34:29 -0800 (PST)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id D93ED21F86A0 for <rtcweb@ietf.org>; Thu, 10 Nov 2011 00:34:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 3CC0339E0FC; Thu, 10 Nov 2011 09:34:27 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XT5HK-il8SPj; Thu, 10 Nov 2011 09:34:26 +0100 (CET)
Received: from hta-dell.lul.corp.google.com (62-20-124-50.customer.telia.com [62.20.124.50]) by eikenes.alvestrand.no (Postfix) with ESMTPS id 95C7F39E089; Thu, 10 Nov 2011 09:34:26 +0100 (CET)
Message-ID: <4EBB8C92.50706@alvestrand.no>
Date: Thu, 10 Nov 2011 09:34:26 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com><CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <4EB79FC2.10400@alvestrand.no> <1D062974A4845E4D8A343C653804920206D3BC60@XMB-BGL-414.cisco.com>
In-Reply-To: <1D062974A4845E4D8A343C653804920206D3BC60@XMB-BGL-414.cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP - mandatory to implement vs mandatory to use (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 08:34:29 -0000

On 11/10/2011 08:39 AM, Muthu Arul Mozhi Perumal (mperumal) wrote:
> |At the moment, draft-ietf-rtcweb-rtp-usage does not contain any
> |requirement on SRTP usage (the security section says "A mandatory
> |to implement media security solution will be required to be picked",
> |which I think is a bit weak), and the discussion at the time did not
> |seem to indicate consensus that SRTP must be used always, so I
> |decided to document what we seemed to have consensus on - that SRTP
> |MUST be implemented.
>
> Does it mean:
> a. The WebRTC browser MUST implement SRTP, but the WebRTC service/JS needn't use it OR
> b. The WebRTC browser and the service/JS MUST implement SRTP, but the user needn't have to use it?
>
For this group: a, I think.

I haven't seen it realistic to impose restrictions in RTCWEB on the 
Javascript that people write.
The language and the APIs are subjects of standardization; the code 
written isn't.

If someone claims to implement a protocol in Javascript, of course the 
restrictions apply - if they implement a protocol in Javascript where 
crypto is mandatory to implement, and don't implement crypto, their 
claim to have implemented the protocol is false advertising.

But the IETF has no protocol police.