[Live-devel] RTSPS and PKI
Ross Finlayson
finlayson at live555.com
Sat Jul 19 18:55:29 PDT 2025
> On Jul 19, 2025, at 11:59 PM, BENMOUSSA Yahia - Contractor via live-devel <live-devel at us.live555.com> wrote:
>
> Since SRTP encryption key is exchanged using TLS, we need to guarantee a maximum security to the TLS channel. We assume that if the TLS channel is trusted, so is SRTP.
>
> The private CAs are needed because our RTSP clients don't have access permissions to the system CA keystore.
>
> Moreover, it is not recommended to install private CA file in system wide CA keystore. This may be considered as security issue. Usually, the OS CA keystore contains only the public trusted CA files. If a given application don't want to use these public CAs, it should manage its own private CAs.
Sorry, but I don’t understand this ‘word salad’ (“system wide CA keystore”, etc.).
I still don’t understand why RTSP clients need to be given their own certificate (externally, before the TLS process even begins). Everybody else who uses RTSP with SRTP assumes that the RTSP servers have proper certificates installed. I don’t know what makes your environment different (special).
It seems that I’m going to have to rely on someone else giving me a good explanation, before I make any changes to the supplied LIVE555 code.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
More information about the live-devel
mailing list