Re: [rtcweb] Security Architecture: SDES support is a MUST

Harald Alvestrand <harald@alvestrand.no> Fri, 20 July 2012 13:05 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 293E821F8659 for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIf1WMoH3VpQ for <rtcweb@ietfa.amsl.com>; Fri, 20 Jul 2012 06:05:48 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 59B9E21F8652 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 06:05:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 8A68E39E179 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:43 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jN7AhPIWqex for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:42 +0200 (CEST)
Received: from [192.168.1.16] (unknown [188.113.88.47]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id C95A239E091 for <rtcweb@ietf.org>; Fri, 20 Jul 2012 15:06:42 +0200 (CEST)
Message-ID: <500957ED.90807@alvestrand.no>
Date: Fri, 20 Jul 2012 15:06:53 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <201207190742.q6J7glf6008744@vivaldi29.register.it> <500834FE.5040809@alcatel-lucent.com> <500835E1.2070502@infosecurity.ch> <50084717.7060301@alcatel-lucent.com> <BLU169-DS1488EF1F32A1EB2027582093D90@phx.gbl> <5008F7B9.7020804@infosecurity.ch>
In-Reply-To: <5008F7B9.7020804@infosecurity.ch>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 13:05:49 -0000

On 07/20/2012 08:16 AM, Fabio Pietrosanti (naif) wrote:
> On 7/19/12 10:40 PM, Bernard Aboba wrote:
>> Self-signed certificates are only appropriate for a subset of scenarios.  Do
>> we expect IdP to be widely deployed in high security scenarios for
>> government, financial or medical applications?  I do not.
>>    
>> Do we expect a call center to utilize IdP with a self-signed certificate?
>> More likely is that they will utilize a certificate chaining to a trust
>> anchor.
> Until WebRTC does not employ an end-to-end authentication mechanism
> (like ZRTP's SAS applied to DTLS-SRTP), WebRTC is not going to provide
> end-to-end security.
>
> It's not a matter of considering just the encryption, but considering
> the "trust model" .
>
> Current security definition of WebRTC does not support end-to-end security.
The current security definition of WebRTC (with DTLS) provides fingerprints.
If the application is able to verify those fingerprints, security is end 
to end; if it isn't - it isn't.

One specification does not solve all problems.
>
> Fabio
>
> p.s. we have wrote tons of thread about it in past months explaining why
> and how
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb