Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)

Roman Shpount <roman@telurix.com> Thu, 05 April 2012 17:42 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F9921F86D5 for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 10:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.725
X-Spam-Level:
X-Spam-Status: No, score=-2.725 tagged_above=-999 required=5 tests=[AWL=0.251, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiUAY9jNnj7q for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 10:42:26 -0700 (PDT)
Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by ietfa.amsl.com (Postfix) with ESMTP id 98A6821F8692 for <rtcweb@ietf.org>; Thu, 5 Apr 2012 10:42:20 -0700 (PDT)
Received: by dady13 with SMTP id y13so2600579dad.27 for <rtcweb@ietf.org>; Thu, 05 Apr 2012 10:42:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=ls8qGDXpKYbcsazgRl2o5GYumKOJ9+/uG9gbiH/jgbo=; b=Xt6aiydTUt+dx+Z5eAK/oo6fF3TSRIac1awUPzvKaJ9kf4NrxY2F55SM99AZxXtJc2 DQc24AuSucPbsVrtQwPqOwNyVYDY2nZnvhKglfalvq6TGUBqun4woAlDrfi0tHKCcxMj /STx6v1bCPG94fSv8El9A+0RweyzN7zVE+QeyOsFji3Z7lhtouEqVIlwnFCMEY8pumiu zvZ2lAse1ENfFQSvHM00n6NJSnEd+HvPpLZg1/aTKpUg5htifxpdcpoqtwRnTNYuB8OO OLpIp4JGoG+MQf/gAEtPl5GbRlTzNju+Les80FGUGA7DQ8RVsiGcmqa9usBcUTpWEMv1 JY7g==
Received: by 10.68.225.39 with SMTP id rh7mr8505314pbc.104.1333647740159; Thu, 05 Apr 2012 10:42:20 -0700 (PDT)
Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx.google.com with ESMTPS id z1sm3806856pbc.38.2012.04.05.10.42.18 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 Apr 2012 10:42:19 -0700 (PDT)
Received: by dady13 with SMTP id y13so2600524dad.27 for <rtcweb@ietf.org>; Thu, 05 Apr 2012 10:42:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.234.228 with SMTP id uh4mr3585169pbc.78.1333647737834; Thu, 05 Apr 2012 10:42:17 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Thu, 5 Apr 2012 10:42:17 -0700 (PDT)
In-Reply-To: <4F7DD13F.2010006@infosecurity.ch>
References: <4F7D7103.6040102@infosecurity.ch> <4F7DBEFC.6040302@alcatel-lucent.com> <4F7DD13F.2010006@infosecurity.ch>
Date: Thu, 5 Apr 2012 13:42:17 -0400
Message-ID: <CAD5OKxv_e9Ncw7xt3eh9jNM9HWX1snDN1wVynkFT2GPoA+y1_w@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Content-Type: multipart/alternative; boundary=047d7b33da10ab4be704bcf20f8e
X-Gm-Message-State: ALoCoQmI+Y77te7ctD75TJBQHEvEqxWMxE+DXKtKRY/9lB35EXpTwPZhmDuxhMJ5H5/qgjEapOwp
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 17:42:27 -0000

On Thu, Apr 5, 2012 at 1:07 PM, Fabio Pietrosanti (naif) <
lists@infosecurity.ch> wrote:

> This means that DTLS-SRTP, from a trust-model point of view, does not
> provide end-to-end security because there will always be a trusted third
> party able to authorize Man in the Middle to do eavesdropping.
>

Incorrect. If fingerprint is exposed and can be verified, DTLS-SRTP does
provide end-to-end security. No third parties involved.
______________
Roman Shpount