Re: [rtcweb] SRTP and "marketing"

"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Thu, 29 March 2012 06:22 UTC

Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132E721E80A9 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxmQcKO-hC9o for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:22:33 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id B17BC21E80AE for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:22:32 -0700 (PDT)
Received: by eaaq11 with SMTP id q11so750898eaa.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:22:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding:x-gm-message-state; bh=bGZzEMqle/Q/KgxrF5pEdPfn9fBAcboISg6W+tecAxM=; b=gk4tOknn9X14oEn+Kllxoa0tWsXlcEWBMQcOTSGb5DLx5aAelN8W7p9ZbfQYBiekwr n2zt//+45z7Zag5XEK5ig7uDegfKm0z+OkWQFvq30zoFu5dT6XINcPLOrf0TRHxrNZQp GVKHP8yy8dNy77HH3rNe2NMfpwIaqi98/LNhvlZ98hXVQms8EIZhKxblFh0KFeH0SyIW pF9foFjI89dq7zkjhWDNhCRFx35Q9RrHmvg9aUfDVpRQ+tPmD+7XDmx1tvYtZYcX47vQ j9pvZfb0kO4qfH3s6hZ1EZ0RKdopGWshGjhwymgldwmhUjKOevOzrOAPLJGPclDvHJ9e U1Jg==
Received: by 10.213.28.198 with SMTP id n6mr2313130ebc.298.1333002151569; Wed, 28 Mar 2012 23:22:31 -0700 (PDT)
Received: from sonyvaiop13.local (93-32-184-146.ip34.fastwebnet.it. [93.32.184.146]) by mx.google.com with ESMTPS id r44sm18267416eef.2.2012.03.28.23.22.29 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 28 Mar 2012 23:22:30 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F73FFA6.2030402@infosecurity.ch>
Date: Thu, 29 Mar 2012 08:22:30 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
References: <4F72D6B3.40803@bbn.com> <4F72E453.7070204@alvestrand.no> <4F72EB53.5000409@bbn.com> <0bf301cd0d04$22d53200$687f9600$@com> <00052A1F-CE65-4A53-9B7D-261E1CC75426@acmepacket.com>
In-Reply-To: <00052A1F-CE65-4A53-9B7D-261E1CC75426@acmepacket.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQl4iT6GBLmAGKd7pjizGl1tznXEJYSb7JhhzaPbTK0USwN9DhMvz7yBWFw89Aw5MdSr0wsi
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 06:22:34 -0000

On 3/28/12 11:58 PM, Hadriel Kaplan wrote:
> 
> On Mar 28, 2012, at 6:59 PM, Dan Wing wrote:
> 
>> We do need a foundation upon which an authentication/identity 
>> infrastructure can be built.  We know we need one.
>> That foundation is DTLS-SRTP, and not Security Descriptions.
> 
> Now you're starting to sound like a marketing guy.  ;)
> What's next: "we'll build more synergy and have a unified platform with DTLS-SRTP"?
> 
> But more seriously, I don't understand this "foundation" argument.  We're going to have DTLS-SRTP.  No one's suggesting we don't have DTLS-SRTP.  

I'm no-one, but i would strongly argue to use SDES-SRTP considering that
forcing the world to implement a non-used new standard (DTLS-SRTP) for a
new not-yet-implemented new standard (WebRTC) it's a fault.

> All Browsers MUST implement DTLS-SRTP.  We'll have it for Browser-to-Browser, and for Browser-to-Gateway if the Gateway supports it.  We'll have the foundation.
> 
> Requiring it for Gateways would make sense if it offered some real advantage, or didn't have any disadvantages.  There don't appear to be real advantages, while we know of disadvantages.  And gateways have no real means of offering an end-to-end identity.  Why would you want to build a foundation on air?

We need to build a new protocol on the foundation of existing protocol.

DTLS-SRTP doesn't exists because no-one use it, there are no diffused
implementation and no interoperability testing done.

DTLS-SRTP require a *huge effort* to set it up.

SDES-SRTP does not require such *huge effort* and will unleash the
advantage of an existing ecosystem of application and protocol stacks
already there.

While i understand Mr. Wing points related to Identity, i think that
Identity will be guaranteed not at "media level" but from existing
transport that is HTTP/HTTPS and all the W3C protocol that run on top of
the Web (Federated Authority) to handle Authorization and Authentication.

Reinventing something new it's imho just wrong.

-- 
Fabio Pietrosanti
Founder, CTO

Tel: +39 02 911930893 + ext: 907
Mobile: +39 340 1801049
E-mail: fabio.pietrosanti@privatewave.com
Skype: fpietrosanti
Linkedin: http://linkedin.com/in/secret

PrivateWave Italia S.p.A.
Via Gaetano Giardino 1 - 20123 Milano - Italy
www.privatewave.com