[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security for RTP connections - some thoughts

To: "Francois Audet" <audet@xxxxxxxxxx>, "Dan Wing" <dwing@xxxxxxxxx>, "Werner Dittmann" <Werner.Dittmann@xxxxxxxxxxx>, <ietf-rtpsec@xxxxxxxxxxxx>
Subject: Re: Security for RTP connections - some thoughts
From: Craig Southeren <craigs@xxxxxxxxxxxxxxxxx>
Date: Tue, 13 Mar 2007 21:54:06 +1100
In-reply-to: <1ECE0EB50388174790F9694F77522CCF0F910494@xxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <45F6EF25.9010602@xxxxxxxxxxx> <1ECE0EB50388174790F9694F77522CCF0F910494@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx

On Tue, 13 Mar 2007 13:51:18 -0500
"Francois Audet" <audet@xxxxxxxxxx> wrote:

..deleted
> 
> Well, interesting, but there are other uses cases that are arguably more
> important. I find the focus of end-user being responsible for security
> incredibly naive.
> 
> Say I'm the Administrator of the service (like in an Enterprise).
> 
> I'm responsible for security. To me, a solution that relies on
> end-users recognizing text string and making the right choices is
> snake oil. Just like all the pop-op windows on accepting certificates
> is snake oil, because most people, outside of security buffs, will just
> accept anything. If there is a security breach, I will be responsible,
> not the end-user. It is my responsibility to provide security, 
> despite the end-user.
> 
> Don't get me wrong: I'm not arguing against the end-user based stuff. 
> I'm just saying that it is a very incomplete picture, and is certainly
> not what the industry needs most immediately.

I agree with your low opinion of the average user, but I disagree with
your conclusion.

If your deployment requirements mandate the usage of secure audio, then
a system that provides it subject to user agreement is always going to
be an issue regardless of the underlying protocol. If this is what you
need, then deploy a PKI or some HR policies with serious teeth :)

For me, the key point about ZRTP is that I (as a user) can have secure
media even if the administrator has not provided it. But, if I am an
administrator, I can deploy a PKI and use ZRTP to provide mandated
security as well. 

It's a win-win scenario

   Craig

-----------------------------------------------------------------------
 Craig Southeren          Post Increment – VoIP Consulting and Software
 craigs@xxxxxxxxxxxxxxxxxxxx                   www.postincrement.com.au

 Phone:  +61 243654666      ICQ: #86852844
 Fax:    +61 243656905      MSN: craig_southeren@xxxxxxxxxxx
 Mobile: +61 417231046      Jabber: craigs@xxxxxxxxxx

 "It takes a man to suffer ignorance and smile.
  Be yourself, no matter what they say."   Sting

Follow-Ups:
- RE: Security for RTP connections - some thoughts
  - From: Dan Wing

References:
- Re: Security for RTP connections - some thoughts
  - From: Werner Dittmann
- RE: Security for RTP connections - some thoughts
  - From: Francois Audet

Prev by Date: Re: Some views on Secure RTP
Next by Date: Re: Some views on Secure RTP
Previous by thread: RE: Security for RTP connections - some thoughts
Next by thread: RE: Security for RTP connections - some thoughts
Index(es):
- Date
- Thread