- From: Eric Rescorla <ekr@rtfm.com>
- Date: Sun, 6 Dec 2015 11:40:31 -0800
- To: Harald Alvestrand <harald@alvestrand.no>
- Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
Received on Sunday, 6 December 2015 19:41:41 UTC
I would be onboard with deleting this paragraph On Sun, Dec 6, 2015 at 8:10 AM, Harald Alvestrand <harald@alvestrand.no> wrote: > Den 05. des. 2015 12:02, skrev Martin Thomson: > > What is this supposed to mean? > > > > "To prevent network sniffing from allowing a fourth party to establish > > a connection to a peer using the information sent out-of-band to the > > other peer and thus spoofing the client, the configuration information > > SHOULD always be transmitted using an encrypted connection." > > > > It's right at the bottom of a very big Section 4.3.1. > > > > I might guess that this relates to the ICE ufrag and pwd, but it's > > well out of place if that is the case and very confusing either way. > > > > Ufrag and password will let one establish an ICE connection. > > It won't permit a DTLS connection, since that requires the fingerprint > to match. > An active attacker can modify the fingerprint and get connected, but > that's not what this paragraph is referring to, since it specifically > talks about "network sniffing", not network interception - back in the > days when we still considered permitting SDES, the warning was true as > it stands - but we don't do that any more. > > I'd suggest deleting the paragraph. > > > >
Received on Sunday, 6 December 2015 19:41:41 UTC