Re: [rtcweb] Benjamin Kaduk's Discuss on draft-ietf-rtcweb-security-11: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 06 March 2019 19:44 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4A51275F3; Wed, 6 Mar 2019 11:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RypgCWW40Y5w; Wed, 6 Mar 2019 11:44:24 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810101.outbound.protection.outlook.com [40.107.81.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68EF91224E8; Wed, 6 Mar 2019 11:44:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vGOZK8hji9lXG3xZmThLlKHhvFowvSXchF/8Xagofoo=; b=AaaoKnVEw1h9AiNnVX6evEO/zEexBWH2s8teJa+EEWiBF2wYppoyYDr7pOsBibSMw0FLaYg4Q9ymKgE98Tb8xHi5fbL5ly9iYzJbmKpX8+4Y+GUbZtOTZNiKrIGlATUo+eS74pu7fzKo0uB/bjzoPqO+jUbUx68Otm/FZHr570k=
Received: from BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26) by MWHPR01MB3294.prod.exchangelabs.com (2603:10b6:300:fd::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.17; Wed, 6 Mar 2019 19:44:22 +0000
Received: from CO1NAM03FT017.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::204) by BYAPR01CA0049.outlook.office365.com (2603:10b6:a03:94::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.16 via Frontend Transport; Wed, 6 Mar 2019 19:44:22 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT017.mail.protection.outlook.com (10.152.80.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Wed, 6 Mar 2019 19:44:21 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x26JiHgJ006246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 6 Mar 2019 14:44:19 -0500
Date: Wed, 6 Mar 2019 13:44:16 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Adam Roach <adam@nostrum.com>
CC: Datatracker on behalf of Benjamin Kaduk <ietf-secretariat-reply@ietf.org>, The IESG <iesg@ietf.org>, <draft-ietf-rtcweb-security@ietf.org>, <rtcweb@ietf.org>, <sean@sn3rd.com>, <rtcweb-chairs@ietf.org>
Message-ID: <20190306194416.GO9824@kduck.mit.edu>
References: <155189932716.14137.9903426522882898659.idtracker@ietfa.amsl.com> <83e273b7-09b8-6560-097b-9410c2f8f9fd@nostrum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <83e273b7-09b8-6560-097b-9410c2f8f9fd@nostrum.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(346002)(136003)(39860400002)(376002)(396003)(2980300002)(199004)(189003)(229853002)(53546011)(15650500001)(8676002)(53416004)(26005)(54906003)(23726003)(486006)(106466001)(246002)(11346002)(88552002)(476003)(956004)(426003)(8936002)(126002)(446003)(186003)(33656002)(316002)(47776003)(106002)(336012)(104016004)(50466002)(2906002)(786003)(16586007)(58126008)(36906005)(76176011)(305945005)(7696005)(55016002)(26826003)(97756001)(6246003)(14444005)(66574012)(478600001)(356004)(6666004)(5660300002)(4326008)(6916009)(1076003)(86362001)(46406003)(75432002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR01MB3294; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6267bc7b-df7c-47ec-aaae-08d6a26c2162
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4608103)(4709054)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060); SRVR:MWHPR01MB3294;
X-MS-TrafficTypeDiagnostic: MWHPR01MB3294:
X-Microsoft-Exchange-Diagnostics: 1; MWHPR01MB3294; 20:u6cLkL/Y8WXB1q+L7TmseBMT6vt3QpyErEecuz8Rqbe7IwODp9RapmGlw+XQv/0YaskCjjcZ8vDRAW5fuYFS9dhZoXQKCUvWOLCceYPj0wAboZZIDFTzBOFWBaG4wR82DlEcWzapVEzZmO0tlJciS+6rMYCMQV1FcfGKUNLCquXBmsVN2PNUang20RegHM+zJhFIcNLHQDMOxNOOTb4JJJV0ER5Wm8TGcmiOCy0Z3vvic4ClMmxRxzA7O7sw6nFEL465bNCbtT73kTjqKayLDuYQcedeV7mq+1wQ1goZ0pS6E9BWAsDoQndy/JyFdTwts18Zqqk6YCIZR650qjzVMkuzBdlBgCoMY97FNvhfl6rBUC4oMqDTIF9KjeCWnhIIOTorymdackgnlsizhS2TYRcXT4S/i9GJ05qD+fhulmSXcFLGnmIasAsr3K3UQYn1ly59h7i6f2w9/l4yMgcugTnLSLlYkCGvwxHm6DCswaOnt/YdVN1sFqSrxrWRtL+MkhUaMbSulCiueud/RSXIMBckfCjjnKTgTqalYCzxvT90iunITUp75oi7G5UR3MfM1bkXZMhvQc1e4cguS+2XsB1QFKGV2V8NIykL+dY+/fE=
X-Microsoft-Antispam-PRVS: <MWHPR01MB329438079F3CB8528E30AB22A0730@MWHPR01MB3294.prod.exchangelabs.com>
X-Forefront-PRVS: 0968D37274
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR01MB3294; 23:nifqUe37qStcrExbc3QgjQVFI/Qh+YdIdZNQ6P7Tw?= =?us-ascii?Q?T/sAoUZLeZjumQMe2h/1GFtX8Y9CsmYtisFpGv/x6ccdbvlY2b8iYnLw+cH8?= =?us-ascii?Q?gzAPPaCSB/p3HDLQmvY8ukch8OdVkENIsGneyu2k7tkys415yio6JwceKQBM?= =?us-ascii?Q?nTF0FMwqZNRRZ64lN7lXw0GjEAJ2w9YRsdEMlWUdZKkG3oSZgnh9o/i/x9/5?= =?us-ascii?Q?pn2U81bAsGuj2EFT/RAJg63Fd72++sDy6Q0zmR3DVXzDiR64TKEldCQllyG0?= =?us-ascii?Q?OBAmZJUWklHC0wW1DC/4tCGluWRBmNw6ePpw1l4d/pn1O8Y8RO+TfbLQDKGY?= =?us-ascii?Q?VSANXYDDh9273+5Vpsgh0cVhCpzMLKWIFKWM9Y7tKzMr1UibAW4abRAWUFvh?= =?us-ascii?Q?8TTzJSMjwJlmB0fTz59CNx6CQ2ZfCrl5co+iN97ylJ4WR3OFmgSW3swOd+jD?= =?us-ascii?Q?4Wy7FoMtXnY2TUidLDflhFri/RDRi6x1b3NYV2qVLXycijfd+33jrveT0do1?= =?us-ascii?Q?NJRbpqNzAVHBXw2WRuwT/MjGWBc8Z1fQKFH2AMGYEJl7vF3FlmwN+k68bWtE?= =?us-ascii?Q?n645VaCZJIfUYKTQ1CPpsl/xvYy8bfwHL2zTIFVQnXL784bMS2+n5E7mvcch?= =?us-ascii?Q?ZuiGRts4vthQIrau0Yu2+xCFxYdg/KrBTwqn2v0lSjqwEDCi5fc1qy2OtrcH?= =?us-ascii?Q?AlZoqReTTXhsjL8mPThqT8uu+nJrCkpydmOEjVrQ7HHOfTZtxcKcavdMCQYB?= =?us-ascii?Q?42YcX9lG1GLgdE9dArYLIkd4YHqczj3LmpgtZYKQib9doZDZcIb4O5MzsFQA?= =?us-ascii?Q?RCRmiR+h1YyL2ZjT3xtHSj7W3fG25p+EikcJxd7ORw+rlTxMpT7NIrd767Z7?= =?us-ascii?Q?JOWSgl1XVGy5hpiORVoI53s3KjxT1JJFNvW3VO6n5tVdaAumsrPKRYHwnLUy?= =?us-ascii?Q?7yGuyca6M5P/HbOIsZuiwsuzJf2Tme5lGVUELkACGqxj5Rmp2QKSGrlcBALO?= =?us-ascii?Q?tMuv2oxVnKml1PSCjxcMyoK1M5D6aRWEdabauKPctMaXglMoP4aTOxOGXwzH?= =?us-ascii?Q?El23AueUPq8S9V+Xq7tEvT6WfyBZFvVb74iH8dzXr0B/6sjGpQBAd6j2TnAJ?= =?us-ascii?Q?q+wy6W2b8c5nzmBSoSknUnHQJzWqSQlNspPoPxBvy8dKGlYu4suyTiYT3iDC?= =?us-ascii?Q?JW4PGfliuErKPRYVw6Ogbs3TBKC0o04aMXkV8MKONgMBTZqITyTl33S1mwRO?= =?us-ascii?Q?CdxT1FvRv0whf+fmNLi4Zsu/LM2EZrMU1SVc7Q8pM681UXxO2o65pU38Kjhu?= =?us-ascii?B?Zz09?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: UFpMDwG7sjoRZaphM7T41X8lxx/m8K6RH/qocyKUyE+OnUF2ErnSCowKsJTKZlUzlYes0EH+rBfcjrwBY1kdqM6CFtE9qfJfknCmRUl3TuThZREkkX5rgo4VlAKHtYx32Q1F1igUgTcrwNxiFWfdM/pjfu6QFYGJyaNGXPU+dzpQ53QTycmfvEP8rYaIM2PZSipTI0cyUu34l44CwA7t5SoTuMjF+8+jhFRHoDHvi84ZG97RP0V5Xja2ieNTfmLuF7qwYDTvCVQviT0CmL5JDMxrToAQVa1qb1OVKx5SYPIzPu2afD+xdO6Mi+zF44VOBUzK7k2y79lInhaERwXl7bIqZmsHbl7/nIDf0pzOKOwdsVMsZ8foSzBv3tPIFBTzlkBqB009y8dTTYyrwsscyq4Giv/6PpNQjPa6ek5eErE=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2019 19:44:21.4788 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6267bc7b-df7c-47ec-aaae-08d6a26c2162
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR01MB3294
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/_o5PJwJ9CM5eMv5nP9bpcdGs5-I>
Subject: Re: [rtcweb] Benjamin Kaduk's Discuss on draft-ietf-rtcweb-security-11: (with DISCUSS and COMMENT)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 19:44:27 -0000

On Wed, Mar 06, 2019 at 01:28:53PM -0600, Adam Roach wrote:
> I wanted to quickly respond to the two discuss questions you have.

Thanks; that's enough to clear my Discuss, though I do request that these
points be made more clearly in the document itself.

-Benjamin

> On 3/6/19 1:08 PM, Datatracker on behalf of Benjamin Kaduk wrote:
> > Mutually-verifiable "secure mode" seems to require that the peer's browser be included in
> > the TCB, which is a bit hard to swallow.  Are we comfortable wrapping that in alongside
> > "we trust the peer to not be malicious"?
> 
> 
> You are correct that this is part of the assumption of the model, and 
> the reason it makes any sense at all is that the "attacker" of concern 
> here is a web app. To mount an attack with the current assumptions, a 
> malicious app would need to somehow compel a user to install a malicious 
> browser platform prior to using its app.
> 
> Another way of thinking about this is: unless we are going to require 
> the validated use of a crytographically secured operating system with 
> signed, secure audio and video drivers that require HDCP, running on 
> Trusted Computing hardware, then we need to draw a line somewhere, 
> beyond which the media is considered in a "safe enough" environment.
> 
> 
> > It's not clear how much benefit we can get from *optional* third-party identity providers;
> > won't the calling service have the ability to silently downgrade to their non-usage even if
> > both calling peers support it?
> 
> 
> The notion here is that the web browser itself provides indicia that 
> mean "this media is secure and being sent only to <remote party's 
> identity>" in a way that web pages cannot. So you are correct that it's 
> up to the web app to opt-in to this feature; but whether they do so is 
> user-visible. So, e.g., if you host a service that claims its media 
> cannot be intercepted (e.g., in the style of Signal, Wire, or WhatsApp), 
> users can trivially verify whether such a claim is true.
> 
> /a
>