IETF Logo Mail Archive

Re: [rtcweb] More on authorization and endpoint authentication

Harald Alvestrand <harald@alvestrand.no> Fri, 05 August 2011 06:40 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95A921F8678 for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.576
X-Spam-Level:
X-Spam-Status: No, score=-102.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfOUtLEy-Qa3 for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 190ED21F855A for <rtcweb@ietf.org>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 7BE1739E113 for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:04 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJKZ7ZYdxFLE for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:03 +0200 (CEST)
Received: from [192.168.1.51] (162.80-203-220.nextgentel.com [80.203.220.162]) by eikenes.alvestrand.no (Postfix) with ESMTPS id E3B0639E0D4 for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:03 +0200 (CEST)
Message-ID: <4E3B908A.1040809@alvestrand.no>
Date: Fri, 05 Aug 2011 08:41:14 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
In-Reply-To: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] More on authorization and endpoint authentication
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2011 06:40:58 -0000

On 08/04/11 18:46, Eric Rescorla wrote:
> At a higher level, I think we've been failing to draw the distinction
> between two cases which are socially (and arguably technically) very
> different:
>
> 1. The calling service is permitted to place a call but all the
>     information about who you are actually calling is accessible
>     only to the JS provided by the calling service.
>
> 2. The calling service is permitted to place a call but the
>     browser has independent information about who you are
>     actually talking to. [and could at least in principle render
>     it to the user.]
I do not like the thought of going down the case #2 road.

The reason is that in case 2, the concept of remote identity gets 
hardwired into the browser, and the API becomes useful only for 
applications that subscribe to the particular identity model that is 
hardwired into the browser.

In case #1, the API can be used with any (or no) concept of "remote 
identity", and the JS provider (who has a kind of "identity" by virtue 
of the Same Origin Policy definition, so it's already wired into the 
browser) gets to hold the responsibility.

v2.23.0 | Report a Bug | By Email