[rtcweb] SAVPF history (Re: Final plea about SRTP)

Harald Alvestrand <harald@alvestrand.no> Tue, 08 May 2012 07:57 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 219B021F8606 for <rtcweb@ietfa.amsl.com>; Tue, 8 May 2012 00:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.548
X-Spam-Level:
X-Spam-Status: No, score=-110.548 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1IN+P9KCv4X for <rtcweb@ietfa.amsl.com>; Tue, 8 May 2012 00:57:51 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id E45E621F85D8 for <rtcweb@ietf.org>; Tue, 8 May 2012 00:57:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 0CB9E39E1FC for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:45 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XwYKji-cV+VK for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:43 +0200 (CEST)
Received: from [172.28.93.74] (unknown [74.125.122.49]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id A879939E0F3 for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:43 +0200 (CEST)
Message-ID: <4FA8D1F6.4010103@alvestrand.no>
Date: Tue, 08 May 2012 09:57:42 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CAD5OKxtSvdu9gMqfb3ptw5aQJt1NZKLJ1UB_vKRWDXCZurD+1w@mail.gmail.com> <BDA69428-93F2-475B-ABBB-5DE539671DD1@iii.ca> <CAD5OKxs+oZj47DrTSnvaLV7-jNEPOkxjZfJuC5F2fo71kB3-4g@mail.gmail.com> <BLU169-DS251D322307BC173FD221AE932F0@phx.gbl> <CAD5OKxvahkBEs6iVuuyrwuYXzcbKKPvVWL5rx02d6DOhtX_0Cg@mail.gmail.com> <4FA3754D.6020004@ericsson.com> <CAD5OKxs3zhxecnXCjsbKzeWNvyJCUy_31pnXKv+orT-T6-FtLg@mail.gmail.com> <4FA40C0F.3000702@jesup.org> <CAD5OKxtJzp-eA_9BpaX1ekt7LwNbQsJcyfEYytwTLXCffUZcGA@mail.gmail.com>
In-Reply-To: <CAD5OKxtJzp-eA_9BpaX1ekt7LwNbQsJcyfEYytwTLXCffUZcGA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000700000304060305050109"
Subject: [rtcweb] SAVPF history (Re: Final plea about SRTP)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 07:57:52 -0000

On 05/04/2012 07:45 PM, Roman Shpount wrote:
>
> On Fri, May 4, 2012 at 1:04 PM, Randell Jesup <randell-ietf@jesup.org 
> <mailto:randell-ietf@jesup.org>> wrote:
>
>     You forget that bid-down includes bid-downs by the JS or server
>     (which are not trusted in our model), not just by on-path attackers.
>
>
> If your session is initiated by HTTPS, using RTP should not be an 
> option (the same way as using HTTP from HTTPS is not normally an 
> option). If your session is HTTP, whole application can be spoofed, so 
> there is no security to begin with.
>
>     I used to work on hardware endpoints that have been using SAVPF
>     since 2004, with hundreds of thousands of units in the field.
>
>
> I thought SAVPF was only standardized in 2008 and AVPF was 
> standardized in 2006. AVPF was discussed for a while though, so I 
> would assumed you worked with something that implemented one of the 
> drafts...
The -00 version of the SAVPF draft is dated 19 October 2003.

According to 
https://datatracker.ietf.org/doc/draft-ietf-avt-profile-savpf/history/ 
publication was requested in February 2006, and it was approved by the 
IESG in November 2007. The publication delay was 3 months.

The technical changes that resulted from these 4 years of work can be 
seen here:

http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url1=draft-ietf-avt-profile-savpf-00.txt&url2=draft-ietf-avt-profile-savpf-12.txt 
<http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url1=draft-ietf-avt-profile-savpf-00.txt&url2=draft-ietf-avt-profile-savpf-12.txt>

                         Harald