I thought this list was dead... On 26/07/2011, at 7:14 AM, Eric Rescorla wrote:
On Tue, Jul 26, 2011 at 7:00 AM, Bernard Aboba <bernard_aboba@hotmail.com> wrote:
Given this, there will probably be a practical need for RTCWEB to be able to support multiple media keying solutions. However, having to support multiple solutions natively is not a very appealing prospect. Therefore it would be a (more?) useful discussion to talk about the breakdown of functionality between native and javascript.
This was covered fairly extensively in Alan's, Matthew's, and my respective documents, and in Alan's and my presentations at the interim.
If you wish to have a system which can even in principle be secure against attack by the calling site, you need to have more or less the entire key exchange implementation and SRTP implementation in the browser, not in the JS. Moroever, as Alan and Matthew have observed, the implementation must allow the users to have direct access (unmediated by the JS) to enough keying material to verify peer identity (presuming they have some secure channel with which to do so).
-Ekr _______________________________________________ RTC-Web mailing list RTC-Web@alvestrand.no http://www.alvestrand.no/mailman/listinfo/rtc-web
-- Mark Nottingham http://www.mnot.net/