Re: [rtcweb] Working Group Last Call draft-ietf-rtcweb-security
Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 07 March 2013 14:41 UTC
Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1E4B21F8D29 for <rtcweb@ietfa.amsl.com>; Thu, 7 Mar 2013 06:41:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ZH2Chnwuk2P for <rtcweb@ietfa.amsl.com>; Thu, 7 Mar 2013 06:41:56 -0800 (PST)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC6521F8D19 for <rtcweb@ietf.org>; Thu, 7 Mar 2013 06:41:45 -0800 (PST)
X-AuditID: c1b4fb2d-b7f316d0000028db-e3-5138a7273084
Received: from ESESSHC020.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 27.26.10459.727A8315; Thu, 7 Mar 2013 15:41:43 +0100 (CET)
Received: from ESESSMB301.ericsson.se ([169.254.1.208]) by ESESSHC020.ericsson.se ([153.88.183.78]) with mapi id 14.02.0318.004; Thu, 7 Mar 2013 15:41:43 +0100
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: EKR <ekr@rtfm.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Thread-Topic: [rtcweb] Working Group Last Call draft-ietf-rtcweb-security
Thread-Index: AQHOCtFWWS42KcwCtUuvtvD7u5XVeJiabL2w
Date: Thu, 07 Mar 2013 14:41:42 +0000
Message-ID: <C643F355C8D33C48B983F1C1EA702A45090DCB@ESESSMB301.ericsson.se>
References: <CA+9kkMDfu5XpiaO3AJr80Z6wMCpf55W==FD5nrqPr9SzNq39zg@mail.gmail.com>
In-Reply-To: <CA+9kkMDfu5XpiaO3AJr80Z6wMCpf55W==FD5nrqPr9SzNq39zg@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.16]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrALMWRmVeSWpSXmKPExsUyM+Jvja76cotAgwnbVSxWvD7HbrH2Xzu7 A5PHkiU/mTwmP25jDmCK4rJJSc3JLEst0rdL4MpYMeMAc8Er3opT224wNjC2cXcxcnJICJhI rFm1lQXCFpO4cG89WxcjF4eQwCFGicu/zrNDOIsZJfr3XmACqWITMJC4df8kWIeIgLXEm52d 7CC2sICHxPP/t5gh4p4Sxx9+YoKwjSRer5kOZrMIqEg8PNEAVsMr4C1x+8o/sLiQQIDE8+fP geIcHJwCgRKdG9NAwowCshL3v98DW8UsIC5x68l8JohDBSSW7DnPDGGLSrx8/I8VwlaU2Hm2 nRmiXkdiwe5PbBC2tsSyha+h1gpKnJz5hGUCo+gsJGNnIWmZhaRlFpKWBYwsqxjZcxMzc9LL DTcxAmPh4JbfujsYT50TOcQozcGiJM4b5nohQEggPbEkNTs1tSC1KL6oNCe1+BAjEwenVAPj jAAWZ9n7RnbnPjGtm6V0ayVPjOD6ivzK31vTRO83/7SrNv/KJ7BamFNIXu+cmvXRy48Kdzmn 2Ho4blnE72wR//Ol3+YQNfa6mual/jqyTz/J3/Dn+fRJ86FI9o2jVwzPOb7aEf3hOOeBUP5f D1lvrOA6ll1RF3aRXSP8g6zKjJPOa5JeOLkrsRRnJBpqMRcVJwIAbui0jVMCAAA=
Subject: Re: [rtcweb] Working Group Last Call draft-ietf-rtcweb-security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2013 14:41:57 -0000
Hi Eric,
Some minor comments on draft-ietf-rtcweb-security:
- Abstract
This document defines the RTC-Web threat model and defines an
architecture which provides security within that threat model
Isn't the architecture defined in draft-ietf-rtcweb-security-arch?
- Section 4.1.1.3, 3rd paragraph
However, this obviously presents a privacy challenge, as sites which
host advertisements in IFRAMEs often learn very little about whether
individual users clicked through to the ads, or even which ads were
presented.
What exactly is the privacy issue here? Is it that the hosting site
can eavesdrop on the call between the user and the advertiser since
IFRAMEs are not used?
- Section 4.3.1, 3rd paragraph
In addition, the system MUST NOT provide any APIs to extract either
long-term keying material or to directly access any stored traffic keys.
Does this mean that SDES is out of the picture or does the sentence only
apply to DTLS(-SRTP)?
I apologize if any of the points above have already been mentioned by the other reviewers.
Regards,
Oscar
> -----Original Message-----
> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
> Of Ted Hardie
> Sent: den 14 februari 2013 17:35
> To: rtcweb@ietf.org
> Subject: [rtcweb] Working Group Last Call draft-ietf-rtcweb-security
>
> This begins a working group last call for draft-ietf-rtcweb-security.
> Please send comments to the list by March 9, 2013.
>
> regards,
>
> Ted, Cullen, Magnus
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Working Group Last Call draft-ietf-rtcwe… Ted Hardie
- Re: [rtcweb] Working Group Last Call draft-ietf-r… Magnus Westerlund
- Re: [rtcweb] Working Group Last Call draft-ietf-r… Oscar Ohlsson