[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Plan for moving forward

To: Dan Wing <dwing@xxxxxxxxx>
Subject: Re: Plan for moving forward
From: Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>
Date: Tue, 12 Jun 2007 13:29:20 -0700
Cc: "'Eric Rescorla'" <ekr@xxxxxxxxxxxxxxxxxxxx>, "'Matt Lepinski'" <mlepinski@xxxxxxx>, ietf-rtpsec@xxxxxxx
In-reply-to: <01c501c7ad2f$f00954c0$c2f0200a@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <01c501c7ad2f$f00954c0$c2f0200a@xxxxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Windows/20070326)

Dan

Of course I understand that. Please read my note closely :) . I wasonly referring to PKI in the context of DRM.


Lakshminath

On 6/12/2007 1:26 PM, Dan Wing wrote:

I don't understand your reference to PKI.

As was explained at length -- I thought -- in Prague, DTLS-SRTP does not
require (nor recommend) that the endpoint's certificate (used for DTLS-SRTP)
be made available in any kind of certificate store ("PKI"), anywhere, by
anybody.  Taken to an extreme, One Might Say that a new certificate could be
created by the endpoints for every DTLS-SRTP call, if the endpoint was
interested in doing such a thing.

-d
-----Original Message-----
From: owner-ietf-rtpsec@xxxxxxxxxxxx[mailto:owner-ietf-rtpsec@xxxxxxxxxxxx] On Behalf OfLakshminath Dondeti
Sent: Tuesday, June 12, 2007 12:48 PM
To: Eric Rescorla
Cc: Matt Lepinski; ietf-rtpsec@xxxxxxx
Subject: Re: Plan for moving forward


Eric,
I have double checked with people about where things are in 3GPP and3GPP2 and since you care to know the details, it is asomewhat complexstory (actually not that complex). If DRM is involved, thereare clientcerts, PKI and everything (although in case of broadcast TV,the storyis different, the mobile operators may be trying to do awaywith PKIs inthat context). But, clearly there is someone to pay for itso to speak;content business is a value-add.
For other purposes, people tell me that there were attemptsin the pastand they went no where (I haven't seen them and so I don't know thestory for sure). Someone could try to make a proposal and buildconsensus now; the burden then is on the merits of the proposal. Itdoesn't hurt too much is not an incentive.
There are folks on this list who also contribute to PP andPP2. If youdisagree with my notes above, please do let us know.
regards,
Lakshminath

On 6/7/2007 12:04 PM, Eric Rescorla wrote:
At Thu, 07 Jun 2007 11:26:44 -0700,
Lakshminath Dondeti wrote:
Thanks Matt. I know of cases where skipping the
self-signed cert on the
UAC side would be considered necessary. Broadly speaking whereasverifying server-side certs as in case of https is
alright, client-side
certs, self-signed or not, are not really viable at the moment.
Can you provide more support for this claim?

The problems with client auth in HTTPS are almost entirely due
to user interface, but in the of DTLS-SRTP, they client auth
is hidden under the covers of the implementation and so this
is not an issue.

-Ekr

Follow-Ups:
- RE: Plan for moving forward
  - From: Dan Wing

References:
- RE: Plan for moving forward
  - From: Dan Wing

Prev by Date: RE: Plan for moving forward
Next by Date: RE: Plan for moving forward
Previous by thread: RE: Plan for moving forward
Next by thread: RE: Plan for moving forward
Index(es):
- Date
- Thread