Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
Roman Shpount <roman@telurix.com> Fri, 11 November 2011 12:02 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D3321F8593 for <rtcweb@ietfa.amsl.com>; Fri, 11 Nov 2011 04:02:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.897
X-Spam-Level:
X-Spam-Status: No, score=-2.897 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNvp1757YShB for <rtcweb@ietfa.amsl.com>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 596D621F8548 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: by gye5 with SMTP id 5so3382694gye.31 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: by 10.101.4.20 with SMTP id g20mr5666387ani.73.1321012954603; Fri, 11 Nov 2011 04:02:34 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by mx.google.com with ESMTPS id f32sm33149203ani.20.2011.11.11.04.02.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 11 Nov 2011 04:02:33 -0800 (PST)
Received: by ywt34 with SMTP id 34so2215119ywt.31 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.31.170 with SMTP id b10mr24056389pbi.18.1321012951954; Fri, 11 Nov 2011 04:02:31 -0800 (PST)
Received: by 10.68.62.170 with HTTP; Fri, 11 Nov 2011 04:02:31 -0800 (PST)
In-Reply-To: <CCF4FC92-D5AA-43C8-A0B2-8041C9B8E1BD@edvina.net>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com> <4EBC3475.90706@alvestrand.no> <CAD5OKxu_-+ZRsqpUBkFSj=tYtOKG0pK3JoQTZHwQGMuBCnp0Gw@mail.gmail.com> <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com> <CCF4FC92-D5AA-43C8-A0B2-8041C9B8E1BD@edvina.net>
Date: Fri, 11 Nov 2011 07:02:31 -0500
Message-ID: <CAD5OKxs-pWwDBjwAu=mQVWRZa4H_YPpzQ31=0qxUUj-pJOErcg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Olle E. Johansson" <oej@edvina.net>
Content-Type: multipart/alternative; boundary="bcaec520f2afbeb61904b1744be8"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2011 12:02:36 -0000
On Fri, Nov 11, 2011 at 3:49 AM, Olle E. Johansson <oej@edvina.net> wrote: > If you support DTMF in RTP you already have a requirement that you SHOULD > only do that over SRTP. If rtcweb supports telephony-events, we are > already on the SRTP side as almost mandatory. I think it's easier to reach > an agreement on SRTP being mandatory than DTMF being dis-allowed. > > Well, this is a perfect example when specifying mandatory security for wrong reasons is simply being ignored. All the reactions I've seen to this so far were "this is only a SHOULD, let's disregard this for now". Getting security requirements in the standard which are too high too be practical usually produces products which disregard security completely, reaching the exactly opposite effect. I think, in this particular case, the right course of action is to use AVT tones in RTP as the rest of the industry is doing now. Also, I wanted expand on the debug requirements: I do hope we will make key exchange mechanism, different from SDES, mandatory for WebRTC. Passing actual encryption keys through JavaScript makes media encryption to easy to circumvent. This means some type of public/private key encryption used for key exchange. If we do this right, getting to the actual key used for media session encryption will be very difficult, so most of the tools currently used for SRTP debugging will stop working. We will also end up with something new, which will mean extensive need for debugging. Ability to turn this component on and off will be very helpful for implementation debugging. Once again, this will probably be not a critical point, but making something easier for developers usually goes a long way in driving the adoption. One more benefit of having RTP as fallback for legacy interop is that it will allow us to specify something that will be more secure for WebRTC. If SDES support would no longer be needed, we can concentrate on using key exchange mechanism that is actually secure. Finally, (going slightly off topic here) it would probably be a good idea to make key exchange part of the initial ICE transaction. This way we can use this key exchange as an additional verification of the remote party, and reduce the number of round trips required before the media flow is established. _____________ Roman Shpount
- [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Cameron Byrne
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC José Luis Millán
- Re: [rtcweb] Let's define the purpose of WebRTC Tim Panton
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Christer Holmberg
- Re: [rtcweb] Let's define the purpose of WebRTC Tim Panton
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Justin Uberti
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC John Elwell
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- [rtcweb] SRTP - mandatory to implement vs mandato… Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Wolfgang Beck
- Re: [rtcweb] Let's define the purpose of WebRTC Stefan Håkansson LK
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Let's define the purpose of WebRTC Jonathan Lennox
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Wolfgang Beck
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Wolfgang Beck
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] SRTP - mandatory to implement vs man… Magnus Westerlund
- Re: [rtcweb] Let's define the purpose of WebRTC Cullen Jennings
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- [rtcweb] SRTP requirement - wiretapping (Re: Let'… Harald Alvestrand
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran Parthasarathi
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Bernard Aboba
- Re: [rtcweb] surveillance in RTCWEB (was wiretapp… Bernard Aboba
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Cameron Byrne
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran Parthasarathi
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Cameron Byrne
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Avasarala, Ranjit
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Avasarala, Ranjit
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran, Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Neil Stratford
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC DRAGE, Keith (Keith)
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Neil Stratford
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Ravindran, Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Tim Panton
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Randell Jesup
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Let's define the purpose of WebRTC Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Christer Holmberg
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran, Parthasarathi
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran, Parthasarathi
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] SRTP - mandatory to implement vs man… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Randell Jesup
- Re: [rtcweb] SRTP - mandatory to implement vs man… Harald Alvestrand
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- [rtcweb] Traffic should be encrypted. (Re: Let's … Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Roman Shpount
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Roman Shpount
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Eric Rescorla
- Re: [rtcweb] Let's define the purpose of WebRTC Hadriel Kaplan
- Re: [rtcweb] Let's define the purpose of WebRTC Eric Rescorla
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran, Parthasarathi
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Olle E. Johansson
- Re: [rtcweb] Let's define the purpose of WebRTC Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Roman Shpount
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Hadriel Kaplan
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Roman Shpount
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Cullen Jennings
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Eric Rescorla
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Hadriel Kaplan
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Randell Jesup
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Kevin P. Fleming
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Iñaki Baz Castillo
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Hadriel Kaplan
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Iñaki Baz Castillo
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Ravindran, Parthasarathi
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Hadriel Kaplan
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Miguel Casas-Sanchez
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Marc Petit-Huguenin
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Tim Panton
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Iñaki Baz Castillo
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- [rtcweb] Traffic on the list (Re: Traffic should … Harald Alvestrand
- [rtcweb] Fwd: Traffic should be encrypted. (Re: L… Wolfgang Beck
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Hadriel Kaplan
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Christer Holmberg
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Roman Shpount
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Randell Jesup
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Randell Jesup
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Neil Stratford
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Randell Jesup
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Michael Thornburgh
- Re: [rtcweb] Let's define the purpose of WebRTC Matthew Kaufman
- Re: [rtcweb] Let's define the purpose of WebRTC Matthew Kaufman
- [rtcweb] Media Synchronization (Re: Traffic shoul… Matthew Kaufman
- [rtcweb] DTMF (was Re: Traffic should be encrypte… Matthew Kaufman
- Re: [rtcweb] Let's define the purpose of WebRTC Roman Shpount
- [rtcweb] POTS lines to browser (was Re: Fwd: Traf… Matthew Kaufman
- Re: [rtcweb] POTS lines to browser (was Re: Fwd: … Wolfgang Beck
- [rtcweb] Call Security (was Re: Let's define the … Matthew Kaufman
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Tim Panton
- Re: [rtcweb] POTS lines to browser (was Re: Fwd: … Tim Panton
- Re: [rtcweb] POTS lines to browser (was Re: Fwd: … Iñaki Baz Castillo
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Media Synchronization (Re: Traffic s… Harald Alvestrand
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Tim Panton
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Justin Uberti
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Bernard Aboba
- Re: [rtcweb] Traffic should be encrypted. (Re: Le… Victor Pascual Avila
- Re: [rtcweb] Let's define the purpose of WebRTC Iñaki Baz Castillo
- Re: [rtcweb] SRTP requirement - wiretapping (Re: … Cullen Jennings