Re: [rtcweb] Resolving RTP/SDES question in Paris
"Ejzak, Richard P (Richard)" <richard.ejzak@alcatel-lucent.com> Mon, 19 March 2012 04:10 UTC
Return-Path: <richard.ejzak@alcatel-lucent.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C68A521F85A2 for <rtcweb@ietfa.amsl.com>; Sun, 18 Mar 2012 21:10:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.582
X-Spam-Level:
X-Spam-Status: No, score=-6.582 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ANZPL9Gdb6b for <rtcweb@ietfa.amsl.com>; Sun, 18 Mar 2012 21:10:13 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 2B26121F8582 for <rtcweb@ietf.org>; Sun, 18 Mar 2012 21:10:13 -0700 (PDT)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q2J4ACxG024266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <rtcweb@ietf.org>; Sun, 18 Mar 2012 23:10:12 -0500 (CDT)
Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q2J4A2T7025551 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <rtcweb@ietf.org>; Sun, 18 Mar 2012 23:10:12 -0500
Received: from USNAVSXCHMBSA1.ndc.alcatel-lucent.com ([135.3.39.127]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Sun, 18 Mar 2012 23:10:04 -0500
From: "Ejzak, Richard P (Richard)" <richard.ejzak@alcatel-lucent.com>
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
Date: Sun, 18 Mar 2012 23:10:03 -0500
Thread-Topic: [rtcweb] Resolving RTP/SDES question in Paris
Thread-Index: Ac0FdudnBIv6w/qvSsm0F0baAlpeKQAA2MGg
Message-ID: <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com>
In-Reply-To: <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_6F428EFD2B8C2F49A2FB1317291A76C113563C5A92USNAVSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 04:10:16 -0000
I would like to argue two points: 1) DTLS-SRTP with IdP is the only media security scheme that rtcweb should support; and 2) rtcweb should also support RTP (no media security) with a clear requirement on the browser UI to warn the user of the complete lack of media security. DTLS-SRTP Some of the arguments made against DTLS-SRTP in recent emails are valid unless it is integrated with trusted IdP that is sufficient to verify the identity of the remote party. With this one caveat, DTLS-SRTP is equal to or (mostly) better than SDES-SRTP in almost all respects (not to be repeated here). Even if the identity is suspect, the IdP can at least provide some degree of assurance and accountability when an issue arises. Without that, a user has no recourse when a problem develops. The key is that the browser UI must make clear to the user the identity of the remote party with whom media security has been established (even when it is a network gateway, in which case the identify of the gateway operator). It should also be possible for the end user to mandate that a remote party identity is always verified before communication is allowed (perhaps even make this a requirement when media security is selected). This is not too burdensome a requirement if established up front to help manage SPIT. When end-to-end security is possible, then Alice knows that she's talking to Bob and vice versa. Even when Alice is talking to someone reached via the PSTN, she can know that she has a secure media connection to a gateway owned by a particular (the identified) operator, thus establishing a significant part of the chain of accountability. We can't improve on the security available through the PSTN, but we can improve on the security available to the point of interconnection with the identified operator (which may be different from the owner of the rtcweb application). With DTLS-SRTP the user can have some basis for deciding whether to trust the identified operator; else (even with SDES-SRTP) you must completely trust the owner of the rtcweb application and there is no way to identify or verify any security attributes associated with the media. Finally, there are multiple reasons to avoid supporting multiple media security schemes. It is difficult enough to expect the end user to make sure they are comfortable with the identity of the remote party of a secure media connection, but to ask if they are comfortable with an alternative media security scheme is simply too much to expect. Bid-down attacks are just too easy and it is impossible to verify any remote party identity with SDES-SRTP. RTP There are too many reasonable use cases for unsecured media for us to ignore them. The browser should be very clear when media security is unavailable and make it easy to prevent communication without media security (perhaps as a default setting), but there are legitimate use cases in various private environments (e.g., enterprise, jail) where media security may not be allowed (or must somehow be compromised), or is just not available, that we should just support straight RTP. As long as the user can control the conditions under which media security is disabled, I do not see a problem. Richard Ejzak
- [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Resolvin… Ravindran, Parthasarathi
- Re: [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Reso… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- [rtcweb] Telling the user the connection is secur… Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Telling the user the connection is s… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Telling the user the connection is s… Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Richard L. Barnes
- Re: [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount