Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)
RFC 5763
Yes
No Objection
Note: This ballot was opened for revision 07 and is now closed.
Lars Eggert No Objection
** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) Section 11., paragraph 0: > A.18. Media Security Negotation (R-NEGOTIATE) . . . . . . . . . 32 Nit: s/Negotation/Negotiation/ Section 1., paragraph 4: > control of on-path sigaling elements. Nit: s/sigaling/signaling/ Section 6.7.2., paragraph 1: > active side MUST proceed with the DTLS handshake as appopriate even Nit: s/appopriate/appropriate/ Section 7., paragraph 3: > especialy if Identity is not in use. Note that all other signaling Nit: s/especialy/especially/ Section 8.6., paragraph 4: > In both of these cases, the assurances taht DTLS-SRTP provides in Nit: s/taht/that/
(Cullen Jennings; former steering group member) Yes
(Jon Peterson; former steering group member) Yes
(Magnus Westerlund; former steering group member) (was Discuss) Yes
(Chris Newman; former steering group member) No Objection
(Dan Romascanu; former steering group member) No Objection
(David Ward; former steering group member) No Objection
(Jari Arkko; former steering group member) (was Discuss) No Objection
(Lisa Dusseault; former steering group member) No Objection
(Mark Townsley; former steering group member) No Objection
(Pasi Eronen; former steering group member) (was Discuss, No Objection) No Objection
(Ross Callon; former steering group member) No Objection
(Russ Housley; former steering group member) (was Discuss) No Objection
(Tim Polk; former steering group member) No Objection
The Introduction states that: However, third party certificates MAY also be used for extra security. The limitations of that extra security should be addressed in the security considerations. To my mind, there is some degree of "defense in depth", but using third party certificates will not address any fundamental limitations of the protocol. For example, if SIP Identity or an equivalent mechanism is not employed, third party certificates do not compensate since there is no binding between names in the certificate and the name used in the application. I am not trying to discourage use of third party certificates where available, but I don't want to see them oversold through omission.