Re: Secure RTP -- end user experience

[Richard Barnes <rbarnes@xxxxxxx>]

Peter,

> I see two benefits for ZRTP, at least for the market I am targeting, one
> that it doesn't reply on PKI, and the other is that I can get a toolkit that
> just works. I am not aware of any other non-PKI options that qualify on both
> counts.

You can deploy DTLS-SRTP without relying on a PKI.  Either you can use 
self-signed certificates (like SSH does) or you can use the anonymous 
Diffie-Hellman ciphersuites (the much less common option).

Both of these are implemented in OpenSSL, which not only "just works", 
but is certified to do so by NIST.  I'm not sure about the specific 
status of DTLS-SRTP, but I hear there's an implementation as part of the 
OpenSSL project.

--Richard



> I didn't intend to imply that ZRTP was the only non PKI proposal, I probably
> should have made that clearer.
>
> Regards
>
>
> Peter
>
>
> ------------------------------------------------------------------
> Peter Cox                                  Phone: +44 20 8759 1999 
> CTO International                            Fax: +44 20 8757 1998
> Borderware Technologies Inc              http://www.borderware.com
> -----Original Message-----
> From: owner-ietf-rtpsec@xxxxxxxxxxxx [mailto:owner-ietf-rtpsec@xxxxxxxxxxxx]
> On Behalf Of Hannes Tschofenig
> Sent: Tuesday, March 13, 2007 9:58 PM
> To: peter@xxxxxxxxxxxxxx
> Cc: ietf-rtpsec@xxxxxxx
> Subject: Re: Secure RTP -- end user experience
>
>
> Hi Peter,
>
> I don't know why a number of folks got the impression that ZRTP is the 
> only proposal that does not rely on a PKI. There seems to be some 
> misinformation here.
>
> SAS can also be used with any proposal. Only relying on SAS will 
> obviously not work in an environment where one of the end points is not 
> a human.
>
> Ciao
> Hannes
>
> Peter Cox wrote:
> > Other than a posting by Craig Southeren there has been little discussion
> on
> > the end-user environment in which secure RTP will be deployed. VoIP
> systems
> > are deployed in environments where the end-users expect them to "just
> work",
> > users are far less tolerant of what in their mind are intruding details
> than
> > users of web and email systems, even when those users are the same people.
> A
> > lifetime's experience with the PSTN means that VoIP users just want to
> pick
> > up the phone, dial and get connected. 
> >
> > The majority of those calls will be about non confidential matters, but
> when
> > more sensitive issues are discussed users want a simple check that their
> > conversation is secured end-to-end, the ZRTP SAS provides this in a form
> > that is easy for the average end-user to understand. For the end-user the
> > SAS is the analogue of the light on the phones used in cold-war spy
> movies,
> > the light flashed when the line was secure. 
> >
> > To declare an interest, Borderware is implementing ZRTP using Phil's
> > toolkit. This protocol was chosen because of its ease of use and because
> it
> > provides exactly what is needed to encrypt a VoIP call, ephemeral keys
> > negotiated without the overhead and complexity of certificate management.
> >
> > While not minimising the importance of getting the protocol details right,
> > factors like end-user acceptance, ease of use and ease of implementation
> are
> > also important. From this point of view ZRTP gets my vote.
> >
> > ------------------------------------------------------------------
> > Peter Cox                                  Phone: +44 20 8759 1999 
> > CTO International                            Fax: +44 20 8757 1998
> > Borderware Technologies Inc              http://www.borderware.com
> >
> >
> >