Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)

Eric Rescorla <ekr@rtfm.com> Tue, 27 September 2011 22:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 139C621F8F19 for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 15:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.9
X-Spam-Level:
X-Spam-Status: No, score=-102.9 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsqHtwGXX+do for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 15:31:02 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4384221F8EF9 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 15:31:02 -0700 (PDT)
Received: by wyh21 with SMTP id 21so6259737wyh.31 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 15:33:48 -0700 (PDT)
Received: by 10.227.11.194 with SMTP id u2mr423623wbu.76.1317162828202; Tue, 27 Sep 2011 15:33:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.196.83 with HTTP; Tue, 27 Sep 2011 15:33:08 -0700 (PDT)
In-Reply-To: <CAD5OKxubnxLAqybCgnBXpKR9S0rBEsoDg9enCaverjVWYad7Ew@mail.gmail.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com> <BLU152-W62B7F2AC3F0D5B6E277CB993F00@phx.gbl> <CAD5OKxt=P3jg9N0weFUZLvUYQxyeXa+9YMtpc8wn7osuPQmTpg@mail.gmail.com> <CAD5OKxtVCgiFV_iAYd1w0uZZcS5+gsixOHJ0jGN=0CMdq++kdg@mail.gmail.com> <CAOJ7v-3PrnNyesL+x-mto9Q9djjiJ13QZHXCiGfY1mv3nubrqQ@mail.gmail.com> <CAD5OKxsKTHCuBQdUnGQtGfF7NmZZExLe9Q9B9cNR=483neuHPQ@mail.gmail.com> <CAOJ7v-1rzdmviAnGknVZmrU_TDNoC3NmWd1g6iyx0WzZ4xB3Pw@mail.gmail.com> <4E820825.9090101@skype.net> <CAD5OKxvmKi3Py0gNcTdREdfS07hA-=f6L+u8KKVgSWztMft9kQ@mail.gmail.com> <CALiegfmL4VSRE+kgs5kXzQc3mCHnKpU-EAbVPKO4QNEYLKje=A@mail.gmail.com> <4E821E47.4080205@alvestrand.no> <CALiegfndBhod6Hoq6h63795x8f=ew28rDys=Fx8ScwVpVJwp1Q@mail.gmail.com> <CABcZeBOoF6MNSpATG2+_e99iRq7Jf9OoWWNCa=qRGW_v+maoHA@mail.gmail.com> <CAD5OKxubnxLAqybCgnBXpKR9S0rBEsoDg9enCaverjVWYad7Ew@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 Sep 2011 15:33:08 -0700
Message-ID: <CABcZeBPoQSM=L0-Er3j-ak2M6YfCbJkThbYuR_+=xUmcsxQz9Q@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary=002215974c5e7c855604adf3de2d
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 22:31:03 -0000

On Tue, Sep 27, 2011 at 3:13 PM, Roman Shpount <roman@telurix.com> wrote:

> Eric,
>
> I would suggest we should have an ability to disable ICE/SRTP in browser
> settings altogether for debugging purposes and have an ability to add a web
> site to browser settings (or assign it to intranet zone), which would enable
> this web site to setup calls without ICE/SRTP. This way a developer can
> disable these protocols to test things, and user can take an action to say
> that it trust a certain web site and allows it to place calls anywhere. I
> would think browser settings are outside of the standards document, but we
> at least should have requirements for ICE-required and SRTP as SHOULD, not
> MUST.
>

It's really a mistake to conflate ICE and SRTP here. If the user opets not
to use SRTP,
he's primarily hurting himself. If he opts not to use ICE, he's potentially
allowing his
browser to be used as an attack platform. These are not the same thing.

As for what's convenient for developers... I'm a developer, and while it
might be useful
to allow a setting to disable ICE and/or SRTP, that doesn't mean I need to
expose that
setting to the user. I really don't understand the virtue of a user-visible
setting to
disable the ICE requirement.

-Ekr