[webrtc-pc] Use PSK key exchange in DTLS transport instead of certificates from Dmitriy Tsvettsikh via GitHub on 2018-10-17 (public-webrtc@w3.org from October 2018)

From: Dmitriy Tsvettsikh via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Oct 2018 00:20:43 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-370849405-1539735642-sysbot+gh@w3.org>

reklatsmasters has just created a new issue for https://github.com/w3c/webrtc-pc:

== Use PSK key exchange in DTLS transport instead of certificates ==
If i understand correctly, the way of establish secure connection is:

* generate self-signed certificate with ECDSA key
* share certificate fingerprint through exising secure channel inside SDP
* check certificates in dtls handshake process

I think certificates is complex and absolutely unneeded part of WebRTC. The `PSK` key  exchange is much easier and do the same thinks. The ideal cipher suite to use in WebRTC is [RFC8442](https://tools.ietf.org/html/rfc8442) wich provides Perfect Forward Secrecy (ECDHE_PSK) and modern cipers (AEAD).

Besides, the `PSK` key exchange makes dtls handshake faster, see [RFC4279](https://tools.ietf.org/html/rfc4279#section-2):

> The Certificate and CertificateRequest payloads are omitted from the response.<...> If no hint is provided, the ServerKeyExchange message is omitted.

Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/2007 using your GitHub account

Received on Wednesday, 17 October 2018 00:20:44 UTC