Re: [rtcweb] No Interim on SDES at this juncture

Hadriel Kaplan <hadriel.kaplan@oracle.com> Fri, 21 June 2013 16:56 UTC

Return-Path: <hadriel.kaplan@oracle.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7C2E21F9E21 for <rtcweb@ietfa.amsl.com>; Fri, 21 Jun 2013 09:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.555
X-Spam-Level:
X-Spam-Status: No, score=-6.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRQCzVpbSM4B for <rtcweb@ietfa.amsl.com>; Fri, 21 Jun 2013 09:56:40 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id DF2BF21F9C93 for <rtcweb@ietf.org>; Fri, 21 Jun 2013 09:56:37 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r5LGuZPI010373 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 21 Jun 2013 16:56:35 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5LGuYw5014838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Jun 2013 16:56:34 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r5LGuXH2022191; Fri, 21 Jun 2013 16:56:33 GMT
Received: from [10.1.21.23] (/10.5.21.23) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 21 Jun 2013 09:56:33 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Hadriel Kaplan <hadriel.kaplan@oracle.com>
In-Reply-To: <CABkgnnX7y0bpj2jkkco8AMQcaPcXZHmYm+o2iAKouVWP+ChkiQ@mail.gmail.com>
Date: Fri, 21 Jun 2013 12:56:32 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <068A0A68-0E24-433E-92D9-CE85254DD620@oracle.com>
References: <CA+9kkMDnjCNXGV0GU7x6gbbZMf4WiEuVvCRY8_Fix5tmdOB-Kg@mail.gmail.com> <AD220324-EEE7-4800-8512-FD7BADA9EC34@oracle.com> <CA+9kkMDY2Z_5_1uYJ1K_ZmrJB2a1-RE7V3aPqNHQg82DyagjCg@mail.gmail.com> <2975A93F-44DA-4020-B4DE-42E7ED98C08F@oracle.com> <51BAC9BC.6070708@ericsson.com> <94846970-4694-4EC8-AEFA-AEECEE0135AA@oracle.com> <51C02EE8.5070809@ericsson.com> <AE1A6B5FD507DC4FB3C5166F3A05A4841A2C78AD@TK5EX14MBXC273.redmond.corp.microsoft.com> <CAL02cgTFSbYSX7v3q37tsjzaPMshyyBroGWr=qmy-HGm82GJFg@mail.gmail.com> <AE1A6B5FD507DC4FB3C5166F3A05A4841A2C7EF8@TK5EX14MBXC273.redmond.corp.microsoft.com> <CAL02cgQMkHu-NqEeScT2ObfknJ+3OjXi7Y=7rUJtqeu3CbewMQ@mail.gmail.com> <8E9D2A9F-3D8B-4480-A85D-320CF30FEAA6@oracle.com> <CAL02cgT3KEb0VB9kz=QCe7Mt3oj5tZvZouFe5-Uy90Cmm0H0dQ@mail.gmail.com> <30761469-F5CC-4858-8D40-4632A7D5A682@oracle.com> <CABkgnnX7y0bpj2jkkco8AMQcaPcXZHmYm+o2iAKouVWP+ChkiQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] No Interim on SDES at this juncture
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 16:56:46 -0000

On Jun 21, 2013, at 11:58 AM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 20 June 2013 18:11, Hadriel Kaplan <hadriel.kaplan@oracle.com> wrote:
>> criminals, drug dealers, mobsters, casinos, news organizations, political parties, and governments
> 
> I assume that large corporations fit in this list in several places,
> so you chose to omit specific mention of those.  

Yes I chose to omit them.  Not because I think large corporations are angels, but because I think there are fairly effective mechanisms in place to keep large corporations from being malicious in terms of recording audio/video you don't expect to be recorded: laws, law suits and brand reputation.

That's why I think even direct competitors of Cisco are willing to use WebEx - and my last 4 employers all used WebEx and were all direct competitors of Cisco - not because we think it's impossible for the WebEx server to do it, nor because we believe they don't store keys or whatever, but rather because we know if they got caught doing it on purpose for malicious use then they'd be sued for blood, and the reputation of WebEx would be so tarnished as to be put out of existence.

Obviously there are some large corporations I won't name that my employers probably feel couldn't be held accountable or in-check in those ways - but we would never trust such large corporations no matter what key-exchange mechanism WebRTC uses.  In fact, even if WebRTC could provide a key-exchange that no malicious MITM could bypass, we still wouldn't trust such corporations - because the information in the JSON is almost as important as the conversation audio/video: it identifies who's communicating with whom, for how long, from where, and often even on what subject.  That's one of the reasons I was saying the other day: if the web-server or JS is truly malicious or compromised, it's game over.


> There seems to be a
> fair amount of overlap in those categories as it stands.

I get the impression each one might not be a criminal in some country-or-other's perspective.
Arguably for some countries, *all* of them are "criminals". ;)

-hadriel