SRTP key management mechanism/exchange is not established by WebRTC. Two options are:
- SDES (SDP Security Descriptions for Media Streams)
- this was first the preferred by WebRTC, but later they changed that
- for SDES to be secure, signaling must be secured
- I believe the signaling server knows the key
- DTLS is used to establish the master key and encryption parameters which are then used in SRTP
- DTLS-SRTP is mandatory to support and should be the default.
Compared to RTP over DTLS, SRTP is more lightweight. However, SRTP exposes headers. In particular, SRTP exposes audio-level.
WebRTC data channel is protected by DTLS.