Re: [webrtc-pc] Use PSK key exchange in DTLS transport instead of certificates from Martin Thomson via GitHub on 2018-10-17 (public-webrtc-logs@w3.org from October 2018)

From: Martin Thomson via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Oct 2018 00:50:08 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-430450773-1539737407-sysbot+gh@w3.org>

Certificates are suboptimal, yes, because they are used as glorified contains for public keys.  Using PSK would  be a terrible idea for the same reason we don't use security descriptions: it makes impersonation by entities with access to signaling trivial.  

I think you really want to ask for is raw public keys (RFC 7250).  The reason we don't use those is that they aren't very widely implemented in stacks, which makes deployment tricky.  I'm not opposed to someone working out how to signal use of raw public keys in SDP, but it's a non-trivial part to deploying something like that.  Motivating the change isn't that simple because certificate overheads aren't that terrible in practice.

DTLS 1.3 should fix the handshake latency problems without the associated compatibility risk.

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/2007#issuecomment-430450773 using your GitHub account

Received on Wednesday, 17 October 2018 00:50:09 UTC