IETF Logo Mail Archive

Re: [rtcweb] Consensus call regarding media security

"Dan Wing" <dwing@cisco.com> Wed, 28 March 2012 17:06 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937DF21E82CF for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 10:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.455
X-Spam-Level:
X-Spam-Status: No, score=-109.455 tagged_above=-999 required=5 tests=[AWL=1.144, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJOz3ebARUA2 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 10:06:48 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFA421E82C6 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 10:06:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=2627; q=dns/txt; s=iport; t=1332954408; x=1334164008; h=from:to:references:in-reply-to:subject:date:message-id: mime-version:content-transfer-encoding; bh=ckOWpr/bxm0kvKagyXzLtKzwASkytqazrMcSxuZirX0=; b=mVemxOfHtdko9UjPSrqtaWjUjDC+r9HSE7fAvDpL4N69gb1HCmifxf1F PKmjCdrYe3f0A5cxj53TBSu01yL3CO6j0kk/rcLE99Z/Ll/dnN04WbxOL pyUc72InGnsiutnAOL/qYeAMR/LRWn0oKSSfrwq6e3kVakH1Q8mjS1PoT 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhkFAOBEc0+rRDoI/2dsb2JhbAA8CakKj2KBB4IJAQEBAwEICgEXEEQHAQMCCQ8CBAEBAScHGSMKCQgBAQQBEgsXh2MEDJtznySKb4YjBI1riQeNNIFogmk
X-IronPort-AV: E=Sophos;i="4.73,662,1325462400"; d="scan'208";a="37964150"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-4.cisco.com with ESMTP; 28 Mar 2012 17:06:46 +0000
Received: from dwingWS (sjc-vpn2-273.cisco.com [10.21.113.17]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id q2SH6juO017867; Wed, 28 Mar 2012 17:06:46 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Basil Mohamed Gohar' <abu_hurayrah@hidayahonline.org>, rtcweb@ietf.org
References: <4F732531.2030208@ericsson.com> <4F732649.5010705@hidayahonline.org>
In-Reply-To: <4F732649.5010705@hidayahonline.org>
Date: Wed, 28 Mar 2012 19:06:45 +0200
Message-ID: <0bf401cd0d05$284c50a0$78e4f1e0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac0M8skmfauMp1u3SaeTuf3dsaXQJAAEYgdw
Content-Language: en-us
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 17:06:48 -0000

> -----Original Message-----
> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> Behalf Of Basil Mohamed Gohar
> Sent: Wednesday, March 28, 2012 4:55 PM
> To: rtcweb@ietf.org
> Subject: Re: [rtcweb] Consensus call regarding media security
> 
> On 03/28/2012 10:50 AM, Magnus Westerlund wrote:
> > WG,
> >
> > In todays RTCWEB WG meeting there was discussion around media
> security
> > mechanism. In this meeting there was some clear consensus in the
> > meeting which we would like to confirm on the list.
> >
> > The first was that there was overwhelming consensus that all RTP
> > packets SHALL be protected by SRTP.
> >
> > Secondly that no one objected against making DTLS-SRTP a mandatory to
> > implement and the default keying mechanism. Additional mechanisms are
> > not precluded.
> >
> > WG participants may state their position regarding these consensus
> calls
> > until 12th of April when the chairs will declare the final consensus.
> If
> > you where present in the meeting room and comment on this, please
> > indicate that.
> >
> > Best Regards
> >
> > Magnus Westerlund
> > For the WG chairs
> I already brought-up my concerns in the other thread, so I'll summarize
> the core point I was making here.  Would using SRTP *require* a central
> authority for establishing authenticity, or can authenticity be
> established via a point-to-point means (e.g., how it's traditionally
> done via SSH [i.e., upon first connection or via previous key
> exchange])?

A central authority is not required.

DTLS-SRTP itself doesn't use the information in the DTLS certificates (the
information that might be present is ignored).  

Of course, if you want identity, then an identity service needs to exist.
But it is possible to operate DTLS-SRTP without identity, which still
provides value beyond Security Descriptions.  For example, because you
mentioned ssh, an 'easy' way to do DTLS-SRTP is to place the remote
peer's certificate fingerprint into your local address book.  No central
authority is needed, and you could get an alert if/when the remote peer's 
certificate changes.  A similar technique for HTTP is described in 
draft-ietf-websec-key-pinning.  A similar technique for ZRTP is
http://tools.ietf.org/html/rfc6189#section-12.

> This is about degrees of trust that the user is will to place upon
> various methods, of course.  I am stating that the option should exist
> for authenticity of an end point to be established outside of a central
> authority (e.g., key exchange via other means).

I agree that is valuable.

-d

v2.23.0 | Report a Bug | By Email