Re: [rtcweb] Consensus call regarding media security
Roman Shpount <roman@telurix.com> Wed, 28 March 2012 20:41 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A88F21F87D6 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 13:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJOdANSy40ce for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 13:41:53 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 3645121F877D for <rtcweb@ietf.org>; Wed, 28 Mar 2012 13:41:53 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so1166177yhk.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 13:41:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=4bOc22qQpYEQ+ChRdA3EmHDZYrwVzkSftzSA+vSgqzw=; b=C7FnEeOk6qhmTQW/h23/5fPqquIn0HDX6mr+1sC6rmZjEc0TrdJk009dbs5iLgwet5 DlrJs4hmjN82l9swCH9rlSX0xCxwOFx48bdEMK+CGRFa3s7IFaWqyeQTT0WD4SPxB3Pj XPrEnmUNjUoBQV7MyMtJyIUWvINqbLsY3TsnEyK+zEnY1/WCWN0FP+T1H+2S4b014eLa oEs0hAF9yXhy0cXD3kx7zx01anRRQNrz1WAvRV/996TtJOmuVUzDUAYPlQs0dTdcJixh WjjXAAk4H6NY/zCPhXRza8f6toYSt8qR8yooXbp6E+He+NCna5STfuUTEvdKrpCQUsj0 QOXw==
Received: by 10.236.156.233 with SMTP id m69mr30962212yhk.128.1332967312480; Wed, 28 Mar 2012 13:41:52 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id d25sm10700611yhe.4.2012.03.28.13.41.50 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 28 Mar 2012 13:41:50 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so1188527ggm.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 13:41:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.221.10 with SMTP id qa10mr73888004pbc.139.1332967309832; Wed, 28 Mar 2012 13:41:49 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Wed, 28 Mar 2012 13:41:49 -0700 (PDT)
In-Reply-To: <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com>
Date: Wed, 28 Mar 2012 16:41:49 -0400
Message-ID: <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
Content-Type: multipart/alternative; boundary="e89a8ff24801fff33404bc53a2db"
X-Gm-Message-State: ALoCoQktfn/ZRMsujLFVHnpS4HzfyyDlM6dZ7hpM6Iu8j/NNvSFSbFeLFyyKdfndzR5q0yvkotUu
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 20:41:54 -0000
On Wed, Mar 28, 2012 at 1:56 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote: > 2012/3/28 Roman Shpount <roman@telurix.com>: > > As I have mentioned before on this list I am strongly against making SRTP > > protection for RTP a requirement. I think this is an unnecessary > requirement > > that serves little real purpose except feeding into some marketing > message > > that most of the WebRTC users would not care about. Unless use of > identity > > is also a requirement, requiring SRTP will provide security only in a > very > > narrow sense of the word. At the same time I do believe that extra > standard > > requirements will stifle innovation and will complicate new service or > > application creation. > > SRTP (with SDES so without identity authentication) is still much > better than plain RTP, right? If I'm in an airport connected to an > open WiFi network, but I use HTTPS/WSS for signaling from my WebRTC > browser, then I can be sure that no one in the airport can intercept > my media streams (using SRTP-SDES). > > Of course this does not solve the fact that there could be some MiM > attacker somewhere in the signaling path, but NOT in the airport! What > is sure is that if I was using plain RTP then everyone in the open > WiFi network could intercept my media streams. > > IMHO it's really clear that SRTP (even with SDES) is MUCH better than > plain RTP. And so far I have not heard any advantage fof allowing > plain RTP other than "it allows interoperability with my 5 years ago > SIP device". > > My main objection is that if an application developer does not take care to develop a secure application, nothing you can do on the standard side will make it a secure application. If I am building a public voice blog that records a voice message that anybody can listen to on the web site security is not needed. My assumption is that a fair number of applications would be like this. So for such applications this is an unnecessary feature. WebRTC will not exist in vacuum. It will communicate with other systems. It is not limited to old SIP devices. It can be something new like server side speech recognition that is integrated with web application. For such application extra code and interop requirements to support security will represent a real and significant cost. Any requirement, unless absolutely necessary will create barriers to entry for new applications. I would like to avoid as many of those as possible. _____________ Roman Shpount
- [rtcweb] Consensus call regarding media security Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Igor Faynberg
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Kevin P. Fleming
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Timothy B. Terriberry
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… jesse
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Which servers to trust (Re: Consensus ca… Harald Alvestrand
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Randell Jesup
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla