Re: [rtcweb] Mirja Kühlewind's Discuss on draft-ietf-rtcweb-security-11: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Tue, 05 March 2019 14:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE02D13128F for <rtcweb@ietfa.amsl.com>; Tue, 5 Mar 2019 06:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOnn_bGyVB38 for <rtcweb@ietfa.amsl.com>; Tue, 5 Mar 2019 06:31:37 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6779131140 for <rtcweb@ietf.org>; Tue, 5 Mar 2019 06:31:34 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id q128so7760186ljb.11 for <rtcweb@ietf.org>; Tue, 05 Mar 2019 06:31:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6wrQkrS0IhxEX6SQyT51xWOzGnfaTzXvWvt6RRV4ZME=; b=ThXeEohsZGdyD0IJczv+G+OYSbwLgL5NWdoIZi22XPC0Y2xvCZO9SA8MghAzd1TsOX GVVhMaVXNujJ851UzHb4ea9mH+2IJSBC3A1cF3yYerfw1lvnK4bIJIlB/KLzlWRASBbk U5PGAW4oF7DBEFR2W2VV5rc+aFsujMeHyceHncnQvmAcmpczMoWHnutCa+Uo2QR/9xA+ EQfbs7Mwd/HJ/kxTQRtxT/V9ZhvW54KRxJmIQcRRN+E483Cfsd8fCsoi1CWyAoj7HIR4 iHyTw6wu86y6IFpN+yOQYR39I7D5AtXhCipCI2sHTLLYT6liRJBuwzBEG0cANEMmac5d qHQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6wrQkrS0IhxEX6SQyT51xWOzGnfaTzXvWvt6RRV4ZME=; b=YVYqIrTB/j2jV4z5Fvyryrrj0kqYg6tauXclOojADPbAvwu/w9I3oT5bBfVd+7TyDf MG/RH3iUdhcEHvPAGWvFSgqB9RxoEUPSelCPMqwCL2UJ0u/cfHv3VYE3Uk+y88FI/Z2/ OO5HomtH2Hrat4u/jyaneJPsNbZYJlxIIavc/D/RIa+rUOIQWF6TMsjzHjlKb5zzAkI3 raxD1KZNznC6BHZFDygMQZInvYUw3H6S5lx/qSrh8piGZqi8LZe0YVgtHSMLyorHEW1l IMmHt3MUL0m/lUWb2VlCXXdzEFJ5F7dwOoyb+uQaxoMjO5BNfGOjColAOn4JXA2WWatu Qjvw==
X-Gm-Message-State: APjAAAX+j+4g4B20tbNUM7Z++iGkImebFS5XhLiL0RkqX2L8yakZmbwV ZowH9iLSfYK7GL5G3RY8KPeIdNarTf+AHEHgcsNK3w==
X-Google-Smtp-Source: APXvYqxgMSGaI1Ddp5mIRiCj998PiSATJ1T6Z8gMq8sa7gv32wTl61r19oxOc5j2jejZE+EncDC9/h5/qVpL5zN4zW4=
X-Received: by 2002:a2e:a28f:: with SMTP id k15mr14173841lja.160.1551796292538; Tue, 05 Mar 2019 06:31:32 -0800 (PST)
MIME-Version: 1.0
References: <155137680815.28736.10104782585142415268.idtracker@ietfa.amsl.com> <CABcZeBNoES+AeH2_9Ax+c8vTHYEend6huBWq8ypqv20PqUDZGA@mail.gmail.com> <B34AD329-4FE2-4561-9F8C-F8833A77E99F@kuehlewind.net>
In-Reply-To: <B34AD329-4FE2-4561-9F8C-F8833A77E99F@kuehlewind.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 5 Mar 2019 06:30:55 -0800
Message-ID: <CABcZeBN2FcDE2zRb5SNHAyZmfiiPmxTFBWTevf7Cuk58AO=GoA@mail.gmail.com>
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
Cc: draft-ietf-rtcweb-security@ietf.org, rtcweb-chairs@ietf.org, RTCWeb IETF <rtcweb@ietf.org>, The IESG <iesg@ietf.org>, Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000c7eb8d058359bac9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/C2TWu_r95JHT8_9-sBGehu6KpRI>
Subject: Re: [rtcweb] =?utf-8?q?Mirja_K=C3=BChlewind=27s_Discuss_on_draft-iet?= =?utf-8?q?f-rtcweb-security-11=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 14:31:41 -0000

On Tue, Mar 5, 2019 at 1:54 AM Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>;
wrote:

> Hi Ekr,
>
> see below.
>
> > Am 28.02.2019 um 22:22 schrieb Eric Rescorla <ekr@rtfm.com>;:
> >
> >
> >
> > On Thu, Feb 28, 2019 at 10:00 AM Mirja Kühlewind <ietf@kuehlewind..net>
> wrote:
> > Mirja Kühlewind has entered the following ballot position for
> > draft-ietf-rtcweb-security-11: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > I think this document is clearly informational. Other RTCweb documents
> should
> > refer this document informatively and only reference the sec arch doc
> > normatively.
> >
> > I don't feel strongly one way or the other. I will defer to the AD.
>
>
> I will wait for more feedback from other ADs and then clear my discuss
> respectively. However, to be honest I also don’t quite fully understand the
> split between this doc and the sec-arch one. But maybe that just me...
> >
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > I would have also expected some discussion about the risks to the user
> if the
> > browser gets corrupted, as indicated by the trust model presented in
> > draft-ietf-rtcweb-security-arch. Alternatively, this document could go
> in the
> > appendix of draft-ietf-rtcweb-security-arch instead.
> >
> > Hmm... We generally assume that the browser is uncorrupted. If it is,
> it's pretty much game over. Can you explain more about your position.
>
> My thinking here is that the security consideration should usually mention
> potentially attacks. First the whole document assumes that the browser is
> not corrupted but never says that.


This is an explciit part of the RFC 3552 threat model.
https://tools.ietf.org/rfcmarkup?doc=3552#section-3

   The Internet environment has a fairly well understood threat model.
   In general, we assume that the end-systems engaging in a protocol
   exchange have not themselves been compromised.  Protecting against an
   attack when one of the end-systems has been compromised is
   extraordinarily difficult.  It is, however, possible to design
   protocols which minimize the extent of the damage done under these
   circumstances.



So it would help if this document would also mention the trust model as
> explicitly described in the sec-arch doc or refer to it.


We would then have to change every document we write to say this, I should
think.

-Ekr

But then I also thought that it could be good to say more about what „game
> over“ means. Which information could or would be lost in danger. I
> understand that if an attacker has full control over the blower it can
> basically display anything, however, I was wondering if it would be
> possible to say more than that. Maybe there are part that can be easier
> hack than others… anyway was just a thought.
>
>
>