Re: [rtcweb] Support of SDES in WebRTC
Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 29 March 2012 13:19 UTC
Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113D621F8B5E for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 06:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.781
X-Spam-Level:
X-Spam-Status: No, score=-9.781 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5U3vdtVVRbzk for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 06:19:14 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id A593221F8B58 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 06:19:13 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b5aae000002dcb-df-4f7461501307
Authentication-Results: mailgw10.se.ericsson.net x-tls.subject="/CN=esessmw0191"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0191", Issuer "esessmw0191" (not verified)) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 25.C9.11723.051647F4; Thu, 29 Mar 2012 15:19:12 +0200 (CEST)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.51]) by esessmw0191.eemea.ericsson.se ([153.88.115.84]) with mapi; Thu, 29 Mar 2012 15:19:11 +0200
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>, "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Date: Thu, 29 Mar 2012 15:19:11 +0200
Thread-Topic: [rtcweb] Support of SDES in WebRTC
Thread-Index: Ac0NiZWYdHL9SBPWQgOmTuIcbk0A4wAIZ5Aw
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D194602D97D@ESESSCMS0360.eemea.ericsson.se>
References: <4F742344.802@infosecurity.ch>
In-Reply-To: <4F742344.802@infosecurity.ch>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 13:19:16 -0000
Hi Fabio, My assumption has always been the following: - DTLS-SRTP is the default - DTLS-SRTP + identity can be turned on via the JavaScript API if the webapp wishes to do so - SDES can be turned on by a manipulated SDP offer/answer provided the entire webapp was retrieved over HTTPS BTW I'm also in favor of _only_ allowing the SRTP NULL encryption algorithm in browser debug/developer mode. Regards, Oscar Ohlsson > -----Original Message----- > From: rtcweb-bounces@ietf.org > [mailto:rtcweb-bounces@ietf.org] On Behalf Of Fabio Pietrosanti (naif) > Sent: Thursday, March 29, 2012 10:54 AM > To: <rtcweb@ietf.org> > Subject: [rtcweb] Support of SDES in WebRTC > > On the topic of SDES vs DTLS-SRTP a very nice analysis has > been done on: > http://www.potaroo.net/ietf/idref/draft-ohlsson-rtcweb-sdes-support/ > > Considering how vague are the security implementation > consideration of DTLS-SRTP and how widely diffused in > SDES-SRTP, i'm wondering whenever we should not mandate the > use of SDES-SRTP. > > That way we would be able to see: > > - All implementation will start with SDES (simpler and quicker) > - For who want enhanced security, greater implementation and > interoperability complexity, implement also DTLS-SRTP > > But for the industry a full cycle of: > - Implementation > - Stabilization > - Interoperability > > for DTLS-SRTP (that nobody use) may require from 2 up to 4-5 > years of time. > > If we goes for SDES-SRTP by default, as early choice, probably within > 1-2 years at maximum we can expect the overall technological > ecosystem to be stable and interoperable. > > Because it will be built on top of existing stable framework. > > We may save dozens millions of USD of investments costs for > the industry and gain some hundreds millions of users year in > advance, just because we would save several years of time. > > I think that those consideration are valuable enough to > strongly consider arguments in making SDES-SRTP a preferred, > mandatory implementation for WebRTC. > > -- > Fabio Pietrosanti > Founder, CTO > > Tel: +39 02 85961748 (direct) > Mobile: +39 340 1801049 > E-mail: fabio.pietrosanti@privatewave.com > Skype: fpietrosanti > Linkedin: http://linkedin.com/in/secret > > PrivateWave Italia S.p.A. > Via Gaetano Giardino 1 - 20123 Milano - Italy > www.privatewave.com _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb >
- [rtcweb] Support of SDES in WebRTC Fabio Pietrosanti (naif)
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC Bernard Aboba
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Fabio Pietrosanti (naif)
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Gregory Maxwell
- Re: [rtcweb] Support of SDES in WebRTC Roman Shpount
- Re: [rtcweb] Support of SDES in WebRTC Randell Jesup
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC (Javascrip… Fabio Pietrosanti (naif)