On 28 Jan 2014, at 22:53, Joshua Colp <[email protected]> wrote: > On 14-01-28 04:25 PM, Daniel Pocock wrote: >> >> This was on -users, but it appears all the DTLS discussion is on -dev so >> I'm reposting it... >> >> >> If I understand correctly, setting >> >> encryption=no >> >> means that Asterisk will make outgoing calls without encryption, but >> will be happy to accept incoming calls regardless of whether the caller >> wants encryption or not (that is how it has been working for me anyway) > > What you are referring to is optional encryption which should not be > working. The code was originally written with only SDES in mind so it > may be possible that the DTLS code isn't taking things into account > correctly. > > Personally I am against optional encryption. Best effort encryption just > does not make sense to me.
A year ago I would agree with you. Not any more. Encrypt wherever possible. We just need to separate this from "secure media". If you really want a confidential call, force encryption. If you really want a call with an authenticated endpoint/user, force strong authentication. For the rest of the calls, if we can encrypt media and/or signalling, just do it. /O -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
