Re: [rtcweb] SRTP and "marketing"

Mahalingam Mani <> Wed, 28 March 2012 10:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9258721F89C7 for <>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.932
X-Spam-Status: No, score=-1.932 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c7Wve5odTLpz for <>; Wed, 28 Mar 2012 03:55:18 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C594321F896A for <>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so612131yhk.31 for <>; Wed, 28 Mar 2012 03:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PXtSxDpsrCaC9s0TTTWaCoO9w49KDMXDK+bb6+P0mUw=; b=qIpJU0sIQTzkIvsg2wIYuPD0A/8Owdvy4pgjVb0uTsHy/NV/8ovouQTuEPa15WKAbU Q0HMuvTYrQO+vWOMXlqh2jHZ8hhSzQNXaUoQcWCZs6hJQQbXsk2WCcNEpZy0xf1hRBXE SiBWMRZsDTBqoyFWb/mmmWfw6tHVPLHS0DC96WIn4Uo9+0Kv8PQm5H+FjrxKYdCNdeEO NVUDJEngvkpC3ZVLh1w55V058Fls122nvJ1XUfZM5oBCUWDl3uwb0P8RtK+1GkoUpz4C OvMtkT7bmWvgIZoEazTjVZ+UZboogqS4RT/8JRVzwCu7uEfi33Lvu2Bvuq0GfVQItKpt xRwg==
MIME-Version: 1.0
Received: by with SMTP id 3mr36898255oeg.2.1332932116880; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
Received: by with HTTP; Wed, 28 Mar 2012 03:55:16 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Wed, 28 Mar 2012 03:55:16 -0700
Message-ID: <>
From: Mahalingam Mani <>
To: "Richard L. Barnes" <>
Content-Type: multipart/alternative; boundary=e89a8fb1ede0561c3004bc4b71f7
Subject: Re: [rtcweb] SRTP and "marketing"
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Mar 2012 10:55:18 -0000

On Wed, Mar 28, 2012 at 2:15 AM, Richard L. Barnes <> wrote:

> [...]
> What I'm concerned about in the RTCWEB context is that without a universal
> authentication/identity infrastructure, we will end up *promising* a secure
> call, but not *delivering* it.  I haven't done the analysis, but it does
> not seem implausible to me that FireSheep-like vulnerabilities are lurking
> here.

The choices of framework proposed in today's meeting still carry an overall
undercurrent of the same generic mechanism as a SAML-based authentication
and authorization.
Even if a universal authentication infrastructure should exist - it becomes
a potential single point of failure (imagine that being the defunct
diginotar) or non-success (MS Passport).
Too many trust-anchors (IdPs) is a problem as well for the single end-user
(non-enterprise). But in the end - would users prefer to go with the
trust-anchors they have come to associate with and have gained a reputation
for; or something completely new?

Even with identity - the authoritative case proposes a <name>:<domain>
paradigm and in the 3rd party case too - assertions are based on
association of a user to domain - by an outside idP. Thus, there's
significant closeness in the identity form - regardless of whether it is
the most common RFC822 (email address), SIP URI (with a slight exception of
OpenID) or other URI forms.


> So ISTM the "marketing" argument carries with it some serious risks as
> well as some small possible benefit.
> --Richard
> ______________________________**_________________
> rtcweb mailing list