Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)

Randell Jesup <> Wed, 28 September 2011 04:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9660D21F8CB4 for <>; Tue, 27 Sep 2011 21:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.567
X-Spam-Status: No, score=-2.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qq7DqWb33Srh for <>; Tue, 27 Sep 2011 21:51:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0A19821F8CAD for <>; Tue, 27 Sep 2011 21:51:44 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1R8mAB-0005if-TU for; Tue, 27 Sep 2011 23:54:31 -0500
Message-ID: <>
Date: Wed, 28 Sep 2011 00:50:48 -0400
From: Randell Jesup <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Subject: Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Sep 2011 04:51:45 -0000

I've been staying out of this one, but one comment:

On 9/27/2011 7:30 PM, Eric Rescorla wrote:
> I don't know what "trust agreements with specific web sites" means.
> The basic situation here is that browser vendors do not want to ship 
> browsers
> which can be used as an attack platform. And since the victim is not 
> the user
> but rather the recipient of the traffic, that's why WebSockets and CORS
> require that the server (i.e., the recipient of the traffic) confirm 
> its willingness
> to receive the traffic, as opposed to having the user agree to it. I 
> don't see
> how any trust mechanism that doesn't involve the recipient can have the
> right security properties.

Is there any way we could leverage something similar to CORS to allow
destinations to specify they're willing to take traffic in some manner
other than per-connection ICE?

This could be a lot simpler for PBXes, gateways, and the like to
implement than ICE/SRTP/etc.

The general idea would be to try ICE, and if the other side doesn't
do ICE, check a CORS-equivalent at the same same address on a port
(the port could be specified in DNS SRV records perhaps, or even an
alternate address to use to check).  If it says it's willing to
accept webrtc traffic without verification, great.  (This could be
additionally secured by requiring the server to mark the app/service
as known to be acceptable in the CORS data.)

Randell Jesup