Re: [rtcweb] No Interim on SDES at this juncture

"Hutton, Andrew" <> Thu, 20 June 2013 21:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C20C321F919D for <>; Thu, 20 Jun 2013 14:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.571
X-Spam-Status: No, score=-2.571 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i29Tlls0ptKB for <>; Thu, 20 Jun 2013 14:25:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A681721E80CD for <>; Thu, 20 Jun 2013 14:25:42 -0700 (PDT)
Received: from (unknown []) by (Server) with ESMTP id A23921EB8452; Thu, 20 Jun 2013 23:25:21 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Thu, 20 Jun 2013 23:25:21 +0200
From: "Hutton, Andrew" <>
To: Roman Shpount <>
Thread-Topic: [rtcweb] No Interim on SDES at this juncture
Thread-Index: AQHObVFVBYzpHvj1BUGlhj09l8oaqpk+DoOAgAEDiyD//+OAgIAAIqoA
Date: Thu, 20 Jun 2013 21:25:20 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_9F33F40F6F2CD847824537F3C4E37DDF115D2E8DMCHP04MSXglobal_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [rtcweb] No Interim on SDES at this juncture
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jun 2013 21:25:52 -0000

Communication with an untrusted server is always insecure, even if using DTLS-SRTP, it is surely the level of risk that is the issue and the problem to solve is how the browser indicates that to the user.

Using SRTP is always more secure than using plain RTP but again I think the problem to be solved is how the user is notified about the level of risk.


From: Roman Shpount []
Sent: 20 June 2013 21:58
To: Hutton, Andrew
Cc: Hadriel Kaplan; Richard Barnes;<>
Subject: Re: [rtcweb] No Interim on SDES at this juncture

On Thu, Jun 20, 2013 at 4:52 PM, Hutton, Andrew <<>> wrote:
Agree with Hadriel here I so no additional security benefit for EKT given that any media gateway is going to be in cahoots with the webserver and has access to the key.

So all we are left with is the performance benefit of using SDES support in the browser which is significant and reduces the barrier to deploying WebRTC so let's go for the option that is easy to specify, easy to deploy, cheap to implement (already exists in Chrome), and we are all familiar with.

SDES support looks like the obvious choice.

Not to play devil's advocate, but how is it any different then arguments to support plain RTP? All the same things apply to RTP. On top of this SRTP is no more secure then plain RTP when communicating with a server over plain HTTP or communicating with untrusted server over HTTPS. If we decided that RTP is unacceptable from security point of view, then how is SRTP acceptable?
Roman Shpount