[rtcweb] Yesterday's meeting : Security

"Olle E. Johansson" <oej@edvina.net> Fri, 09 September 2011 06:07 UTC

Return-Path: <oej@edvina.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9174A21F8781 for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 23:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZLWLbKiQ+6CJ for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 23:07:30 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se []) by ietfa.amsl.com (Postfix) with ESMTP id B230D21F86FF for <rtcweb@ietf.org>; Thu, 8 Sep 2011 23:07:30 -0700 (PDT)
Received: from [] (ns.webway.se []) by smtp7.webway.se (Postfix) with ESMTPA id 424FE754BCE5 for <rtcweb@ietf.org>; Fri, 9 Sep 2011 06:09:21 +0000 (UTC)
From: "Olle E. Johansson" <oej@edvina.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 09 Sep 2011 08:09:20 +0200
Message-Id: <B4D435F5-3B88-4A4E-93D4-2283DBF3F9D2@edvina.net>
To: rtcweb@ietf.org
Mime-Version: 1.0 (Apple Message framework v1244.3)
X-Mailer: Apple Mail (2.1244.3)
Subject: [rtcweb] Yesterday's meeting : Security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 06:07:31 -0000


In the webex meeting yesterday Eric Rescorla delivered a good presentation of some of the security aspects involved in the applications that will be built with webrtc/rtcweb technology.

Some of the issues he raises are application specific, some goes into w3c territory and some belongs in this group. The important question here is the impact of the rtcweb framework. Can we create hooks that help application developers? Is there a need to integrate security mechanisms somehow? 

Like: Does the media system need to be aware of the security properties (certificate chain, ssl state) of the HTTP connection? Does the app need to handle the media encryption keys at all or should we hide it from the app developer and the web server? 

Please read Eric's presentation and think. Maybe you can add a scenario here too.