[RTW] Summary of Alternatives for media keying
Eric Rescorla
ekr at rtfm.com
Tue Jul 26 13:14:59 CEST 2011
On Tue, Jul 26, 2011 at 7:00 AM, Bernard Aboba
<bernard_aboba at hotmail.com> wrote:
> Given this, there will probably be a practical need for RTCWEB to be able to
> support
> multiple media keying solutions. However, having to support multiple
> solutions
> natively is not a very appealing prospect. Therefore it would be a (more?)
> useful
> discussion to talk about the breakdown of functionality between native and
> javascript.
This was covered fairly extensively in Alan's, Matthew's, and my
respective documents,
and in Alan's and my presentations at the interim.
If you wish to have a system which can even in principle be secure
against attack by
the calling site, you need to have more or less the entire key
exchange implementation
and SRTP implementation in the browser, not in the JS. Moroever, as
Alan and Matthew
have observed, the implementation must allow the users to have direct access
(unmediated by the JS) to enough keying material to verify peer
identity (presuming
they have some secure channel with which to do so).
-Ekr
More information about the RTC-Web
mailing list