Re: [rtcweb] Let's define the purpose of WebRTC

Eric Rescorla <> Thu, 10 November 2011 05:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 568B821F8485 for <>; Wed, 9 Nov 2011 21:21:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.942
X-Spam-Status: No, score=-102.942 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id emWK0WFf8Ysc for <>; Wed, 9 Nov 2011 21:21:29 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 96BEC21F8484 for <>; Wed, 9 Nov 2011 21:21:29 -0800 (PST)
Received: by vcbfk1 with SMTP id fk1so2361966vcb.31 for <>; Wed, 09 Nov 2011 21:21:29 -0800 (PST)
Received: by with SMTP id 19mr707328vch.161.1320902489114; Wed, 09 Nov 2011 21:21:29 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 9 Nov 2011 21:20:48 -0800 (PST)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Eric Rescorla <>
Date: Wed, 9 Nov 2011 21:20:48 -0800
Message-ID: <>
To: Roman Shpount <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Nov 2011 05:21:30 -0000

On Wed, Nov 9, 2011 at 6:33 AM, Roman Shpount <> wrote:
> On Wed, Nov 9, 2011 at 8:44 AM, Iñaki Baz Castillo <> wrote

> 2. SRTP is not required: If we are dealing with a greeting card application
> or game chat, no one expects security. If security can be provided this will
> probably not hurt anybody, but in the end it will serve no purpose there.

I'm focusing solely on this point because I think it does such a good job
of demonstrating the limitations of this kind of "who would ever want security
for application X" thinking.

I can envision situations on which security would be desirable in both of
these applications. In the case of a "greeting card application" (whatever
that is) my greeting card might contain sensitive personal or medical
information (congratulations on your pregnancy, sorry to hear you have
cancer etc.) Surely I do in fact want that information secured. Similarly,
it might not be important to have my Farmville chats secure, but if the
purpose of an in-game chat is for me and my co-player to cooperate
in a game where money is on the line (e.g., a tournament), then suddenlu
security becomesmuch more important. Not to mention that the players
may simply be using in-game chat to discuss personal stuff.

The point is that it's very hard to anticipate which communications media
will be used for sensitive information. To say "we don't need security
in this application because nobody will ever use it to discuss sensitive
stuff" is short-sighted. Better simply to be secure all the time.