Re: [rtcweb] SRTP and "marketing"

Mahalingam Mani <mmanig@gmail.com> Wed, 28 March 2012 10:55 UTC

Return-Path: <mmanig@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9258721F89C7 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.932
X-Spam-Level:
X-Spam-Status: No, score=-1.932 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7Wve5odTLpz for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id C594321F896A for <rtcweb@ietf.org>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so612131yhk.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PXtSxDpsrCaC9s0TTTWaCoO9w49KDMXDK+bb6+P0mUw=; b=qIpJU0sIQTzkIvsg2wIYuPD0A/8Owdvy4pgjVb0uTsHy/NV/8ovouQTuEPa15WKAbU Q0HMuvTYrQO+vWOMXlqh2jHZ8hhSzQNXaUoQcWCZs6hJQQbXsk2WCcNEpZy0xf1hRBXE SiBWMRZsDTBqoyFWb/mmmWfw6tHVPLHS0DC96WIn4Uo9+0Kv8PQm5H+FjrxKYdCNdeEO NVUDJEngvkpC3ZVLh1w55V058Fls122nvJ1XUfZM5oBCUWDl3uwb0P8RtK+1GkoUpz4C OvMtkT7bmWvgIZoEazTjVZ+UZboogqS4RT/8JRVzwCu7uEfi33Lvu2Bvuq0GfVQItKpt xRwg==
MIME-Version: 1.0
Received: by 10.60.0.195 with SMTP id 3mr36898255oeg.2.1332932116880; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
Received: by 10.182.67.161 with HTTP; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
In-Reply-To: <4F72D6B3.40803@bbn.com>
References: <4F72D6B3.40803@bbn.com>
Date: Wed, 28 Mar 2012 03:55:16 -0700
Message-ID: <CAN8ZsXCtRcFG4a9MOFa-pgBBZG-yCXAJ47K4wh31JtprArgNjA@mail.gmail.com>
From: Mahalingam Mani <mmanig@gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: multipart/alternative; boundary=e89a8fb1ede0561c3004bc4b71f7
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 10:55:18 -0000

On Wed, Mar 28, 2012 at 2:15 AM, Richard L. Barnes <rbarnes@bbn.com> wrote:

> [...]
> What I'm concerned about in the RTCWEB context is that without a universal
> authentication/identity infrastructure, we will end up *promising* a secure
> call, but not *delivering* it.  I haven't done the analysis, but it does
> not seem implausible to me that FireSheep-like vulnerabilities are lurking
> here.
>
>
>

The choices of framework proposed in today's meeting still carry an overall
undercurrent of the same generic mechanism as a SAML-based authentication
and authorization.
Even if a universal authentication infrastructure should exist - it becomes
a potential single point of failure (imagine that being the defunct
diginotar) or non-success (MS Passport).
Too many trust-anchors (IdPs) is a problem as well for the single end-user
(non-enterprise). But in the end - would users prefer to go with the
trust-anchors they have come to associate with and have gained a reputation
for; or something completely new?

Even with identity - the authoritative case proposes a <name>:<domain>
paradigm and in the 3rd party case too - assertions are based on
association of a user to domain - by an outside idP. Thus, there's
significant closeness in the identity form - regardless of whether it is
the most common RFC822 (email address), SIP URI (with a slight exception of
OpenID) or other URI forms.

-mani

> So ISTM the "marketing" argument carries with it some serious risks as
> well as some small possible benefit.
>
> --Richard
> ______________________________**_________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/**listinfo/rtcweb<https://www.ietf.org/mailman/listinfo/rtcweb>
>