Re: [Speechsc] [RAI] RAI review of draft-ietf-speechsc-mrcpv2-19

[Dan York <dyork at voxeo.com>]

Roni,

The current text at http://tools.ietf.org/html/draft-ietf-speechsc-mrcpv2-19#section-12.3 is:

------

12.3.  Media session protection 
   

Sensitive data is also carried on media sessions terminating on
   MRCPv2 servers (the other end of a media channel may or may not be on
   the MRCPv2 client).  This data includes the user's spoken utterances
   and the output of text-to-speech operations.  MRCPv2 servers MUST
   support SRTP for protection of audio media sessions.  MRCPv2 clients
   that originate or consume audio similarly MUST support SRTP.
   Alternative media channel protection MAY be used if desired (e.g.
   IPSEC).

------

Based on your comments and the srtp-not-mandatory draft (which was just revised to http://tools.ietf.org/html/draft-ietf-avt-srtp-not-mandatory-03 ), my understanding would be that you are advocating something more like this:

------

12.3. Media session protection 

Sensitive data is also carried on media sessions terminating on MRCPv2 servers (the other end of a media channel may or may not be on the MRCPv2 client). This data includes the user's spoken utterances    and the output of text-to-speech operations. MRCPv2 servers MUST support a security mechanism for protection of audio media sessions. MRCPv2 clients that originate or consume audio similarly MUST support a security mechanism for protection of the audio. 

------

Is that an accurate summary of your feedback?  Would that text be acceptable?

Regards,

Dan

On Jul 9, 2009, at 4:56 PM, Roni Even wrote:

Eric,
My comment is that in this case in AVT we say that you do not need to
mandate SRTP but mandate a security mechanism that can be  not only SRTP but
in a different layer like ipsec. This is why I gave a reference to the
srtp-not-mandatory draft

Roni

-----Original Message-----

From: Eric Burger [mailto:eburger at standardstrack.com]

Sent: Thursday, July 09, 2009 11:28 PM

To: Roni Even

Cc: Saravanan Shanmugham; Daniel Burnett; speechsc at ietf.org;

rai at ietf.org

Subject: Re: RAI review of draft-ietf-speechsc-mrcpv2-19

The reality is that NO ONE has implemented any security to date. The

GENART reviewer raised the same issue, and so far the work group has

the same response: MRCPv2 (the speechsc work group) is not planning on

figuring out which of the seven key exchange mechanisms to use in

SIP.  We are counting on the community publishing something, and

people using it.  After all, we are the "using SIP for media resource

control" work group, not the "media resource control work group using

something like SIP for control."

Does this work for you?

On Jul 7, 2009, at 3:40 PM, Roni Even wrote:

[snip]

18.   In section 12.3 the suggestion is to use SRTP as the mandatory

interoperability mode. If the reason for mandating SRTP is for a

common mode you should also decide on a key exchange mechanism. I

suggest you look athttp://tools.ietf.org/html/draft-ietf-avt-srtp-

not-mandatory-02

for discussion on media security.

_______________________________________________
RAI mailing list
RAI at ietf.org
https://www.ietf.org/mailman/listinfo/rai

-- 

Dan York, Director of Conversations

Voxeo Corporation   http://www.voxeo.com  dyork at voxeo.com

Phone: +1-407-455-5859    Skype: danyork  

Join the Voxeo conversation:

Blogs: http://blogs.voxeo.com

Twitter: http://twitter.com/voxeo  http://twitter.com/danyork

Facebook: http://www.facebook.com/voxeo