IETF Logo Mail Archive

Re: [rtcweb] Let's define the purpose of WebRTC

"Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com> Wed, 09 November 2011 13:36 UTC

Return-Path: <mperumal@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7122C21F8B05 for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 05:36:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.642
X-Spam-Level:
X-Spam-Status: No, score=-6.642 tagged_above=-999 required=5 tests=[AWL=-0.343, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0giHHI4fywo3 for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 05:36:53 -0800 (PST)
Received: from ams-iport-4.cisco.com (ams-iport-4.cisco.com [144.254.224.147]) by ietfa.amsl.com (Postfix) with ESMTP id C0EEA21F8AFD for <rtcweb@ietf.org>; Wed, 9 Nov 2011 05:36:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mperumal@cisco.com; l=6574; q=dns/txt; s=iport; t=1320845812; x=1322055412; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=2FYm84xJUblhnPKKKv0qTKwkUfK5pC0DEzb6XnQfiaE=; b=f44upTn3ywVTFtZ8SavY+rHVtLgwxJRbNOk23Sz7CEBLrLSBfQq+cHhY lZmZ3XsJzfaUyQgKRFs//p1ZVfYeqtgCFoUr3NoC6Nz8OtOKzNFVticlU Gck58ArbIu8GQ6vTeXSATyrMOwH2mI4I+/Xs6W0RPAaiTExHKijsmVZA6 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvMAAC+Buk5Io8UQ/2dsb2JhbABChH2VK450gQKBBYFyAQEBBBIBEA0ERQwEAgEIEQQBAQMCBgYXAQICAgEBRAkIAQEECwgIEwehDwGMWZJHgTCHOTNjBIgKkVmMPA
X-IronPort-AV: E=Sophos;i="4.69,484,1315180800"; d="scan'208";a="2725878"
Received: from bgl-core-1.cisco.com ([72.163.197.16]) by ams-iport-4.cisco.com with ESMTP; 09 Nov 2011 13:36:50 +0000
Received: from xbh-bgl-411.cisco.com (xbh-bgl-411.cisco.com [72.163.129.201]) by bgl-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id pA9DanM4020246; Wed, 9 Nov 2011 13:36:49 GMT
Received: from xmb-bgl-414.cisco.com ([72.163.129.210]) by xbh-bgl-411.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 9 Nov 2011 19:06:49 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Date: Wed, 09 Nov 2011 19:06:47 +0530
Message-ID: <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com>
In-Reply-To: <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [rtcweb] Let's define the purpose of WebRTC
Thread-Index: Acye1vqSklfdvrV6R9+fUrMeoau8SgAC2p3Q
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com> <CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <CABcZeBNqdkh8u=gwOvKfDCQA7rXdAyQkfaM1r2Sx10787btP6A@mail.gmail.com> <B10FEFF6-0ADC-4DB1-83BB-50A11C65EC35@acmepacket.com> <CABcZeBNSXtim_VqzqAd8Z-u4zWSjaYmsVZPN=7sDYkJsgtRAHA@mail.gmail.com> <4EB7E6A5.70209@alvestrand.no> <F8003BA9-BCD8-4F02-B514-8B883FF90F91@acmepacket.com> <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com> <845C03B2-1975-4145-8F52-8CEC9E360AF3@edvina.net> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <1D0 62974A48 45E4D8A343C6 53804920206D3B9C1@XMB-BGL-414.cisco.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com>
From: "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
X-OriginalArrivalTime: 09 Nov 2011 13:36:49.0537 (UTC) FILETIME=[A20C9F10:01CC9EE4]
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 13:36:57 -0000

I was trying to envision a solution for the "untrusted JS" issue and I don't intend to argue on whether or not we should allow insecure calling to non-WebRTC clients.

|The "browser" cannot decide that. Probably you mean the user

Yes, a decision made by the browser with user consent if required, with no application involvement.

|And what you state is that, in case the peer does not annouce 
|support for SRTP then the browser should downgrade security 
|to plain RTP.

No, not based on the SRTP capability advertised by the peer, rather based on whether the peer claims it is WebRTC compliant (to make sure calls b/w WebRTC clients are always secure).

|The user (web visitor) has no way to know whether the WebRTC 
|application will contact a WebRTC browser or another device 
|at the media plane.

We could add a STUN extension to indicate compliance to WebRTC, including the supported version level if we ever come up with WebRTC2.0.

Muthu

|-----Original Message-----
|From: Iñaki Baz Castillo [mailto:ibc@aliax.net]
|Sent: Wednesday, November 09, 2011 5:28 PM
|To: Muthu Arul Mozhi Perumal (mperumal)
|Cc: Avasarala, Ranjit; Ravindran Parthasarathi; Cullen Jennings (fluffy); Olle E. Johansson;
|rtcweb@ietf.org
|Subject: Re: [rtcweb] Let's define the purpose of WebRTC
|
|2011/11/9 Muthu Arul Mozhi Perumal (mperumal) <mperumal@cisco.com>:
|> I am thinking we could burn SRTP into the browser such that the decision of whether or not to use
|SRTP vests solely with the browser.
|
|The "browser" cannot decide that. Probably you mean the user, that
|person that in 99.999% of cases does not know what "encryption" or
|"SRTP" is, and in 85% of cases does not matter about security.
|
|
|> If a WebRTC browser is exchanging media with another WebRTC browser they always do SRTP/SRTCP.
|
|The browser has NO way to determine whether it's exchanging media with
|another browser or not. And what you state is that, in case the peer
|does not annouce support for SRTP then the browser should downgrade
|security to plain RTP. The user (web visitor) has no way to know
|whether the WebRTC application will contact a WebRTC browser or
|another device at the media plane.
|
|
|> If either side isn't WebRTC compliant they end up with RTP/RTCP.
|
|So no security. Bad.
|
|
|> This way we don't need to trust the JS, instead trust only the browser.
|
|You mean the user.
|
|
|> We can also interoperate with legacy devices without taxing them.
|
|Sorry, but WebRTC is about "realtime communications for the Web",
|rather than "SIP business coming to the Web". SIP uses RTP, including
|RFC's about SRTP. If you want SIP interoperability with a WebRTC
|device, then make your work as vendor and add security to your SIP
|devices rather than asking no-security for WebRTC.
|
|Please, take a look to XMPP/Jingle !!  They implement SRTP and ICE
|from the beginning!! *Do* your homeworks as SIP vendor.
|
|This is a problem of SIP vendors/telcos, this is not a problem of
|WebRTC. You should implement SRTP in your legacy and non-secure SIP
|devices and make them valid for communication across the open Internet
|in which security is a MUST (Internet is not a telco wallen garden).
|The main purpose of WebRTC is not to interoperate with insecure
|devices, do we all agree here?
|
|I don't support this kind of arguments in favour of non mandating SRTP.
|
|
|PS: Somebody could argue that, in the Web, neither HTTPS or
|WebSocket+TLS is a MUST but optional per website, so why to make SRTP
|mandatory? That would be a very different argument I could understand
|and discuss about. But forcing a *new* specification to be insecure
|just to allow interoperability with non-secure devices is not welcome.
|WebRTC is for the Web, not for SIP.
|
|PS: This kind of discussions give the reason to recent comments like
|the one from Tim Parton. This WG is too much focused on SIP
|vendors/telcos which are not fully interested in RTC communications in
|pure Web/Internet environments, but in making the web browsers a new
|SIP phone for integratting them into their telco business. Bad.
|
|PS: I'm also interested in interoperability between WebRTC browsers
|and SIP devices (as much as you), but I assume that just a few SIP
|devices MUST be able to interop with WebRTC (those that have done
|their homeworks by implementing SRTP and ICE).
|
|
|And those discussions are becoming very boring. There are not new
|arguments at all. It seems than within next weeks/months, SIP
|telcos/vendors will continue requesting not mandatory SRTP just to
|facilitate their business without investing in improving their
|non-secure devices. This is a no-go.
|
|
|Regards.
|
|
|--
|Iñaki Baz Castillo
|<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email