Re: [rtcweb] Let's define the purpose of WebRTC

Hadriel Kaplan <> Fri, 11 November 2011 01:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A8F61F0C55 for <>; Thu, 10 Nov 2011 17:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.463
X-Spam-Status: No, score=-2.463 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D7rWiKr7Hy3J for <>; Thu, 10 Nov 2011 17:15:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id ED9CC1F0C3C for <>; Thu, 10 Nov 2011 17:15:55 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 10 Nov 2011 20:15:54 -0500
Received: from ([]) by ([]) with mapi id 14.01.0270.001; Thu, 10 Nov 2011 20:15:54 -0500
From: Hadriel Kaplan <>
To: Eric Rescorla <>
Thread-Topic: [rtcweb] Let's define the purpose of WebRTC
Thread-Index: AQHMoA91VkgmsgEwCUGv+NsxP/Ew4g==
Date: Fri, 11 Nov 2011 01:15:54 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<>" <>
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Nov 2011 01:15:56 -0000

On Nov 10, 2011, at 4:34 PM, Eric Rescorla wrote:

> This isn't my point: Roman offered a set of use cases he claimed didn't
> require confidentiality. But in fact, many such cases do. The fact that
> there are also overlapping cases which do not is an argument for erring
> on the side of confidentiality, not the other way around.

But the argument isn't about a generic "game-app" or generic "greeting card" WebRTC use-case - it's about a specific "game-app" or "greeting card" application instance.  In other words, of course for a "game-app" use-case we can imagine games which involve money that need media security; but there are "Farmville" and Scrabble and so on games as well, and those are the specific applications that're being proposed don't need it and may not want it.  Likewise, of course there could be greeting-card application sites that purport to provide strong privacy, but there are free ones that do not claim that today.

The subtle difference, I think, is that you're viewing it like WebRTC is a generic application that can be used by different hosting sites for different purposes, whereas I view WebRTC as a toolkit to build different applications - like a library included with my OS or compiler.  So saying "well since someone could use WebRTC for something sensitive we have to assume the worst case" sounds rather odd to me - it's like a compiler removing a library because some programs made for sensitive data could be accidentally using it.  No?

p.s. it's hard to convey emotion/emphasis/conviction in email, so I'd like to mention I'd also be ok with SRTP being mandatory-to-use.  I just think the arguments used so far for doing so have been weak. ;)  
Personally I think a better argument for making it mandatory-to-use is public/press perception. (and no I'm not joking)