Re: [rtcweb] A plea for simplicity, marketability - and... who are we designing RTCWEB for?

Eric Rescorla <ekr@rtfm.com> Thu, 20 October 2011 15:55 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F8AF21F8C9C for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 08:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.96
X-Spam-Level:
X-Spam-Status: No, score=-102.96 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUW0qpd+qUyb for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 08:55:36 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id B3BE421F8C87 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 08:55:36 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so3115105vcb.31 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 08:55:36 -0700 (PDT)
Received: by 10.52.99.195 with SMTP id es3mr11263923vdb.63.1319126136164; Thu, 20 Oct 2011 08:55:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.161.20 with HTTP; Thu, 20 Oct 2011 08:54:55 -0700 (PDT)
In-Reply-To: <CAD5OKxtLZvEc6DyVqJmf8dMvao2=EJdSUBdRBpu-_BViFKwBFw@mail.gmail.com>
References: <9C8CA816-65FB-41A0-999C-4C43128CAAB4@danyork.org> <BLU152-W43CB8DACCEA54AA5558B2493EA0@phx.gbl> <E857C96A-0E73-486F-BF23-36BA897B449C@cisco.com> <BLU152-W19B31DA6C6DB2FE60FC51C93EB0@phx.gbl> <CABcZeBNbSk-4kfzNtXUSnFMhkcockTXudAYzEET30a0v+-kxBA@mail.gmail.com> <CAD5OKxtLZvEc6DyVqJmf8dMvao2=EJdSUBdRBpu-_BViFKwBFw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 20 Oct 2011 08:54:55 -0700
Message-ID: <CABcZeBPx3HdvB7C-VeqCAdz5H2fM2WNWJ-bM1=nxo8FbD70aPg@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] A plea for simplicity, marketability - and... who are we designing RTCWEB for?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 15:55:37 -0000

On Thu, Oct 20, 2011 at 8:45 AM, Roman Shpount <roman@telurix.com>; wrote:
>
> On Thu, Oct 20, 2011 at 11:36 AM, Eric Rescorla <ekr@rtfm.com>; wrote:
>>
>> I don't think I'm following you're argument. ISTM that there are two
>> conditions that one might term "single origin":
>
> There is a third condition for the term "single origin": an RTC application
> calling a server which provided the JavaScript with RTC application. For
> instance if you have an application from a phone service provider or
> conferencing app. This application will never setup a P2P call between two
> browsers, it is always between provider and the browser, so it can ask for
> relaxed security since it only calls its own IP.

Unless the browser can directly verify that the target of the media and the
source of the JS are one and the same, then at minimum the consent issues
apply.

-Ekr