IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

Roman Shpount <roman@telurix.com> Wed, 04 January 2012 22:28 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0C611E80E2 for <rtcweb@ietfa.amsl.com>; Wed, 4 Jan 2012 14:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1x0PB7lpFH0z for <rtcweb@ietfa.amsl.com>; Wed, 4 Jan 2012 14:28:17 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id BC08511E80C1 for <rtcweb@ietf.org>; Wed, 4 Jan 2012 14:28:17 -0800 (PST)
Received: by obcuz6 with SMTP id uz6so16541054obc.31 for <rtcweb@ietf.org>; Wed, 04 Jan 2012 14:28:17 -0800 (PST)
Received: by 10.50.181.197 with SMTP id dy5mr69708351igc.13.1325716097168; Wed, 04 Jan 2012 14:28:17 -0800 (PST)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id yg2sm119680607igb.1.2012.01.04.14.28.14 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jan 2012 14:28:15 -0800 (PST)
Received: by dajz8 with SMTP id z8so16662449daj.31 for <rtcweb@ietf.org>; Wed, 04 Jan 2012 14:28:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.191.202 with SMTP id ha10mr7760010pbc.112.1325716093289; Wed, 04 Jan 2012 14:28:13 -0800 (PST)
Received: by 10.68.44.197 with HTTP; Wed, 4 Jan 2012 14:28:12 -0800 (PST)
In-Reply-To: <BLU152-W469B2EB104C104547FC42393960@phx.gbl>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com> <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com> <4F01A790.4060704@alvestrand.no> <4F02A061.60905@jesup.org> <E44893DD4E290745BB608EB23FDDB762141EF8@008-AM1MPN1-042.mgdnok.nokia.com> <4F035DD5.3050305@jesup.org> <CAOJ7v-1dziaA_ePCuMxjn6uhBgOH=ZVybUmLBwQi5qiuyOzDMA@mail.gmail.com> <BLU152-W469B2EB104C104547FC42393960@phx.gbl>
Date: Wed, 04 Jan 2012 17:28:12 -0500
Message-ID: <CAD5OKxuE0VhSsjKggj1mLOseLeDXarujvAG44yHkuZttagJggw@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: juberti@google.com
Content-Type: multipart/alternative; boundary="e89a8ff1c396d0436204b5bb5427"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 22:28:18 -0000

>
>  Justin Uberti said:
>
> "If we make SRTP mandatory to use, people will figure out a way to make
> SRTP work in their scenarios. If we don't, people will continue to use the
> same old objections as to why they can't deploy SRTP.
>
>
>
I thought our goal is to design a web based real time communication network
with the widest possible set of capabilities. I never thought that the goal
of this group is to promote other architectural agendas, even the ones as
such as spreading communications security. Security of communications would
be defined by the application developer. If application developer designs
something that is meant to be insecure (like place all calls through a
middle server that will record everything and publish it on an open web
site), it would be. I do not understand why application developer with
WebRTC should not have an option to communicate without SRTP. Ability for
developer to specify that RTP is allowed for certain connection takes
nothing from security of WebRTC, and makes a lot of issues (such as
interop, getting initial application developed and tested, etc) a lot
simpler.

I do believe that SRTP CPU load argument is nonsense (especially with newer
CPUs where there is hardware AES offload), but I the only argument I heard
so far for mandatory SRTP use was that future WebRTC developers are so
incompetent and ignorant that they will never use SRTP unless we force
them. Make it simple to specify that SRTP is required via an API, make it
default, and developers will use it. As long as WebRTC connection does not
automatically fall back to RTP if SRTP connection is required and cannot be
established, I simply don't see what the problem is.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email