IETF Logo Mail Archive

Re: [rtcweb] Support of SDES in WebRTC

Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 29 March 2012 13:19 UTC

Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113D621F8B5E for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 06:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.781
X-Spam-Level:
X-Spam-Status: No, score=-9.781 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5U3vdtVVRbzk for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 06:19:14 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id A593221F8B58 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 06:19:13 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b5aae000002dcb-df-4f7461501307
Authentication-Results: mailgw10.se.ericsson.net x-tls.subject="/CN=esessmw0191"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0191", Issuer "esessmw0191" (not verified)) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 25.C9.11723.051647F4; Thu, 29 Mar 2012 15:19:12 +0200 (CEST)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.51]) by esessmw0191.eemea.ericsson.se ([153.88.115.84]) with mapi; Thu, 29 Mar 2012 15:19:11 +0200
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>, "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Date: Thu, 29 Mar 2012 15:19:11 +0200
Thread-Topic: [rtcweb] Support of SDES in WebRTC
Thread-Index: Ac0NiZWYdHL9SBPWQgOmTuIcbk0A4wAIZ5Aw
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D194602D97D@ESESSCMS0360.eemea.ericsson.se>
References: <4F742344.802@infosecurity.ch>
In-Reply-To: <4F742344.802@infosecurity.ch>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 13:19:16 -0000

Hi Fabio,

My assumption has always been the following:

- DTLS-SRTP is the default
- DTLS-SRTP + identity can be turned on via the JavaScript API if the webapp wishes to do so
- SDES can be turned on by a manipulated SDP offer/answer provided the entire webapp was retrieved over HTTPS

BTW I'm also in favor of _only_ allowing the SRTP NULL encryption algorithm in browser debug/developer mode.

Regards,

Oscar Ohlsson


> -----Original Message-----
> From: rtcweb-bounces@ietf.org 
> [mailto:rtcweb-bounces@ietf.org] On Behalf Of Fabio Pietrosanti (naif)
> Sent: Thursday, March 29, 2012 10:54 AM
> To: <rtcweb@ietf.org>
> Subject: [rtcweb] Support of SDES in WebRTC
> 
> On the topic of SDES vs DTLS-SRTP a very nice analysis has 
> been done on:
> http://www.potaroo.net/ietf/idref/draft-ohlsson-rtcweb-sdes-support/
> 
> Considering how vague are the security implementation 
> consideration of DTLS-SRTP and how widely diffused in 
> SDES-SRTP, i'm wondering whenever we should not mandate the 
> use of SDES-SRTP.
> 
> That way we would be able to see:
> 
> - All implementation will start with SDES (simpler and quicker)
> - For who want enhanced security, greater implementation and 
> interoperability complexity, implement also DTLS-SRTP
> 
> But for the industry a full cycle of:
> - Implementation
> - Stabilization
> - Interoperability
> 
> for DTLS-SRTP (that nobody use) may require from 2 up to 4-5 
> years of time.
> 
> If we goes for SDES-SRTP by default, as early choice, probably within
> 1-2 years at maximum we can expect the overall technological 
> ecosystem to be stable and interoperable.
> 
> Because it will be built on top of existing stable framework.
> 
> We may save dozens millions of USD of investments costs for 
> the industry and gain some hundreds millions of users year in 
> advance, just because we would save several years of time.
> 
> I think that those consideration are valuable enough to 
> strongly consider arguments in making SDES-SRTP a preferred, 
> mandatory implementation for WebRTC.
> 
> --
> Fabio Pietrosanti
> Founder, CTO
> 
> Tel: +39 02 85961748 (direct)
> Mobile: +39 340 1801049
> E-mail: fabio.pietrosanti@privatewave.com
> Skype: fpietrosanti
> Linkedin: http://linkedin.com/in/secret
> 
> PrivateWave Italia S.p.A.
> Via Gaetano Giardino 1 - 20123 Milano - Italy 
> www.privatewave.com _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email