Re: [rtcweb] SRTP and "marketing"
Mahalingam Mani <mmanig@gmail.com> Wed, 28 March 2012 10:55 UTC
Return-Path: <mmanig@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9258721F89C7 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.932
X-Spam-Level:
X-Spam-Status: No, score=-1.932 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7Wve5odTLpz for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id C594321F896A for <rtcweb@ietf.org>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so612131yhk.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PXtSxDpsrCaC9s0TTTWaCoO9w49KDMXDK+bb6+P0mUw=; b=qIpJU0sIQTzkIvsg2wIYuPD0A/8Owdvy4pgjVb0uTsHy/NV/8ovouQTuEPa15WKAbU Q0HMuvTYrQO+vWOMXlqh2jHZ8hhSzQNXaUoQcWCZs6hJQQbXsk2WCcNEpZy0xf1hRBXE SiBWMRZsDTBqoyFWb/mmmWfw6tHVPLHS0DC96WIn4Uo9+0Kv8PQm5H+FjrxKYdCNdeEO NVUDJEngvkpC3ZVLh1w55V058Fls122nvJ1XUfZM5oBCUWDl3uwb0P8RtK+1GkoUpz4C OvMtkT7bmWvgIZoEazTjVZ+UZboogqS4RT/8JRVzwCu7uEfi33Lvu2Bvuq0GfVQItKpt xRwg==
MIME-Version: 1.0
Received: by 10.60.0.195 with SMTP id 3mr36898255oeg.2.1332932116880; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
Received: by 10.182.67.161 with HTTP; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
In-Reply-To: <4F72D6B3.40803@bbn.com>
References: <4F72D6B3.40803@bbn.com>
Date: Wed, 28 Mar 2012 03:55:16 -0700
Message-ID: <CAN8ZsXCtRcFG4a9MOFa-pgBBZG-yCXAJ47K4wh31JtprArgNjA@mail.gmail.com>
From: Mahalingam Mani <mmanig@gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: multipart/alternative; boundary="e89a8fb1ede0561c3004bc4b71f7"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 10:55:18 -0000
On Wed, Mar 28, 2012 at 2:15 AM, Richard L. Barnes <rbarnes@bbn.com> wrote: > [...] > What I'm concerned about in the RTCWEB context is that without a universal > authentication/identity infrastructure, we will end up *promising* a secure > call, but not *delivering* it. I haven't done the analysis, but it does > not seem implausible to me that FireSheep-like vulnerabilities are lurking > here. > > > The choices of framework proposed in today's meeting still carry an overall undercurrent of the same generic mechanism as a SAML-based authentication and authorization. Even if a universal authentication infrastructure should exist - it becomes a potential single point of failure (imagine that being the defunct diginotar) or non-success (MS Passport). Too many trust-anchors (IdPs) is a problem as well for the single end-user (non-enterprise). But in the end - would users prefer to go with the trust-anchors they have come to associate with and have gained a reputation for; or something completely new? Even with identity - the authoritative case proposes a <name>:<domain> paradigm and in the 3rd party case too - assertions are based on association of a user to domain - by an outside idP. Thus, there's significant closeness in the identity form - regardless of whether it is the most common RFC822 (email address), SIP URI (with a slight exception of OpenID) or other URI forms. -mani > So ISTM the "marketing" argument carries with it some serious risks as > well as some small possible benefit. > > --Richard > ______________________________**_________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/**listinfo/rtcweb<https://www.ietf.org/mailman/listinfo/rtcweb> >
- [rtcweb] SRTP and "marketing" Richard L. Barnes
- Re: [rtcweb] SRTP and "marketing" Harald Alvestrand
- Re: [rtcweb] SRTP and "marketing" Richard L. Barnes
- Re: [rtcweb] SRTP and "marketing" Mahalingam Mani
- [rtcweb] Identity and authorities (Re: SRTP and "… Harald Alvestrand
- Re: [rtcweb] SRTP and "marketing" Basil Mohamed Gohar
- Re: [rtcweb] SRTP and "marketing" Dan Wing
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Jim Barnett
- Re: [rtcweb] SRTP and "marketing" Randell Jesup
- Re: [rtcweb] SRTP and "marketing" Timothy B. Terriberry
- Re: [rtcweb] SRTP and "marketing" Roman Shpount
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Roman Shpount
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Dan Wing
- Re: [rtcweb] SRTP and "marketing" Randell Jesup
- Re: [rtcweb] SRTP and "marketing" Timothy B. Terriberry
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Gregory Maxwell
- Re: [rtcweb] SRTP and "marketing" Oscar Ohlsson