Re: [rtcweb] Security Architecture: SDES support is a MUST
Harald Alvestrand <harald@alvestrand.no> Fri, 20 July 2012 13:05 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 293E821F8659 for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIf1WMoH3VpQ for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:05:48 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 59B9E21F8652 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 06:05:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 8A68E39E179 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:43 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jN7AhPIWqex for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:42 +0200 (CEST)
Received: from [192.168.1.16] (unknown [188.113.88.47]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id C95A239E091 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:42 +0200 (CEST)
Message-ID: <500957ED.90807@alvestrand.no>
Date: Fri, 20 Jul 2012 15:06:53 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <201207190742.q6J7glf6008744@vivaldi29.register.it> <500834FE.5040809@alcatel-lucent.com> <500835E1.2070502@infosecurity.ch> <50084717.7060301@alcatel-lucent.com> <BLU169-DS1488EF1F32A1EB2027582093D90@phx.gbl> <5008F7B9.7020804@infosecurity.ch>
In-Reply-To: <5008F7B9.7020804@infosecurity.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 13:05:49 -0000
On 07/20/2012 08:16 AM, Fabio Pietrosanti (naif) wrote: > On 7/19/12 10:40 PM, Bernard Aboba wrote: >> Self-signed certificates are only appropriate for a subset of scenarios. Do >> we expect IdP to be widely deployed in high security scenarios for >> government, financial or medical applications? I do not. >> >> Do we expect a call center to utilize IdP with a self-signed certificate? >> More likely is that they will utilize a certificate chaining to a trust >> anchor. > Until WebRTC does not employ an end-to-end authentication mechanism > (like ZRTP's SAS applied to DTLS-SRTP), WebRTC is not going to provide > end-to-end security. > > It's not a matter of considering just the encryption, but considering > the "trust model" . > > Current security definition of WebRTC does not support end-to-end security. The current security definition of WebRTC (with DTLS) provides fingerprints. If the application is able to verify those fingerprints, security is end to end; if it isn't - it isn't. One specification does not solve all problems. > > Fabio > > p.s. we have wrote tons of thread about it in past months explaining why > and how > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Security Architecture: SDES support is a… Domenico Colella
- Re: [rtcweb] Security Architecture: SDES support … Igor Faynberg
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Igor Faynberg
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Roman Shpount
- Re: [rtcweb] Security Architecture: SDES support … Bernard Aboba
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Harald Alvestrand
- Re: [rtcweb] Security Architecture: SDES support … Fabio Pietrosanti (naif)
- Re: [rtcweb] Security Architecture: SDES support … Harald Alvestrand
- Re: [rtcweb] Security Architecture: SDES support … Eric Rescorla
- Re: [rtcweb] Security Architecture: SDES support … Dan Wing
- Re: [rtcweb] Security Architecture: SDES support … Alan Johnston
- Re: [rtcweb] Security Architecture: SDES support … domenico.colella