[rtcweb] SAVPF history (Re: Final plea about SRTP)

Harald Alvestrand <harald@alvestrand.no> Tue, 08 May 2012 07:57 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 219B021F8606 for <rtcweb@ietfa.amsl.com>; Tue, 8 May 2012 00:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.548
X-Spam-Status: No, score=-110.548 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id N1IN+P9KCv4X for <rtcweb@ietfa.amsl.com>; Tue, 8 May 2012 00:57:51 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no []) by ietfa.amsl.com (Postfix) with ESMTP id E45E621F85D8 for <rtcweb@ietf.org>; Tue, 8 May 2012 00:57:45 -0700 (PDT)
Received: from localhost (localhost []) by eikenes.alvestrand.no (Postfix) with ESMTP id 0CB9E39E1FC for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:45 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([]) by localhost (eikenes.alvestrand.no []) (amavisd-new, port 10024) with ESMTP id XwYKji-cV+VK for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:43 +0200 (CEST)
Received: from [] (unknown []) by eikenes.alvestrand.no (Postfix) with ESMTPSA id A879939E0F3 for <rtcweb@ietf.org>; Tue, 8 May 2012 09:57:43 +0200 (CEST)
Message-ID: <4FA8D1F6.4010103@alvestrand.no>
Date: Tue, 08 May 2012 09:57:42 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CAD5OKxtSvdu9gMqfb3ptw5aQJt1NZKLJ1UB_vKRWDXCZurD+1w@mail.gmail.com> <BDA69428-93F2-475B-ABBB-5DE539671DD1@iii.ca> <CAD5OKxs+oZj47DrTSnvaLV7-jNEPOkxjZfJuC5F2fo71kB3-4g@mail.gmail.com> <BLU169-DS251D322307BC173FD221AE932F0@phx.gbl> <CAD5OKxvahkBEs6iVuuyrwuYXzcbKKPvVWL5rx02d6DOhtX_0Cg@mail.gmail.com> <4FA3754D.6020004@ericsson.com> <CAD5OKxs3zhxecnXCjsbKzeWNvyJCUy_31pnXKv+orT-T6-FtLg@mail.gmail.com> <4FA40C0F.3000702@jesup.org> <CAD5OKxtJzp-eA_9BpaX1ekt7LwNbQsJcyfEYytwTLXCffUZcGA@mail.gmail.com>
In-Reply-To: <CAD5OKxtJzp-eA_9BpaX1ekt7LwNbQsJcyfEYytwTLXCffUZcGA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000700000304060305050109"
Subject: [rtcweb] SAVPF history (Re: Final plea about SRTP)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 07:57:52 -0000

On 05/04/2012 07:45 PM, Roman Shpount wrote:
> On Fri, May 4, 2012 at 1:04 PM, Randell Jesup <randell-ietf@jesup.org 
> <mailto:randell-ietf@jesup.org>> wrote:
>     You forget that bid-down includes bid-downs by the JS or server
>     (which are not trusted in our model), not just by on-path attackers.
> If your session is initiated by HTTPS, using RTP should not be an 
> option (the same way as using HTTP from HTTPS is not normally an 
> option). If your session is HTTP, whole application can be spoofed, so 
> there is no security to begin with.
>     I used to work on hardware endpoints that have been using SAVPF
>     since 2004, with hundreds of thousands of units in the field.
> I thought SAVPF was only standardized in 2008 and AVPF was 
> standardized in 2006. AVPF was discussed for a while though, so I 
> would assumed you worked with something that implemented one of the 
> drafts...
The -00 version of the SAVPF draft is dated 19 October 2003.

According to 
publication was requested in February 2006, and it was approved by the 
IESG in November 2007. The publication delay was 3 months.

The technical changes that resulted from these 4 years of work can be 
seen here: