[rtcweb] Stephen Farrell's Discuss on draft-ietf-rtcweb-stun-consent-freshness-15: (with DISCUSS and COMMENT)
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Wed, 05 August 2015 22:38 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75FA1ACE39; Wed, 5 Aug 2015 15:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTIezEvVPWb9; Wed, 5 Aug 2015 15:38:37 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D291A8BB4; Wed, 5 Aug 2015 15:38:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.3.0.p1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150805223837.26225.49192.idtracker@ietfa.amsl.com>
Date: Wed, 05 Aug 2015 15:38:37 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/aE_Q8Z10gZX12vXfJ-K3xA0fQHg>
Cc: draft-ietf-rtcweb-stun-consent-freshness.ad@ietf.org, rtcweb@ietf.org, draft-ietf-rtcweb-stun-consent-freshness@ietf.org, rtcweb-chairs@ietf.org, draft-ietf-rtcweb-stun-consent-freshness.shepherd@ietf.org
Subject: [rtcweb] Stephen Farrell's Discuss on draft-ietf-rtcweb-stun-consent-freshness-15: (with DISCUSS and COMMENT)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 22:38:38 -0000
Stephen Farrell has entered the following ballot position for draft-ietf-rtcweb-stun-consent-freshness-15: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-stun-consent-freshness/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Apologies that these discuss points are maybe asking fairly fundamental questions. That could be that this is really the first of the new security things required by rtcweb to get to the IESG. Or maybe I'm misreading stuff here, if so, sorry;-) (1) Why call this "consent?" That term is (ab)used in many ways on the web, and adding another variation without a definition that distinguishes this from "click ok to my 200 page anti-privacy policy" or "remember that example.com is allowed use my camera/mic" seems like a terrible idea. I also don't see how this can ever be something to which a normal person can "consent" (i.e. consciously agree while fully understanding) so the term is IMO very misleading, and will I fear be used to mislead further. (See also some of the comments below - I do not think we ought be as fast and loose with this aleady terribly badly used term.) To summarise: I'd love if you did s/consent/anything-else/g but if not, please define consent here in a way that clearly and unambiguously distinguishes this usage from other abuses of the term. (2) WebRTC does not require STUN or TURN servers for some calls, even if it does for many. Why is it ok to require such a server be present in all calls (which I think this means) espcially when that means exposing additional meta-data (calling parties in a case where the servers weren't needed and call duration in all cases) to those servers when that is not always necessary? (3) (end of p5) You have a MUST NOT here that is depenedent on current browser implementations. Why is that an IETF thing and not a W3C thing? But more interestingly, can one securely use this protocol without the kind of JS vs. browser sandboxing etc that's needed in the web? If the answer is "no" then don't you need to say that this protocol can only safely be used for such implementations? (In section 2, which almost but not quite says that.) (4) Cleared. (5) Cleared. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (Was discuss point#4) "Section 8: Where are these 96 bits defined? I think this "requires..." statement needs a precise reference to the place in some ICE/TURN/STUN RFC where it's defined. (And I forget where that is, sorry:-) This should be an easy fix." Alissa gave me the reference [1] sothat's grand. It might be an idea to make that clearer if it wasn't just me missing it as I read, which is very possible;-) [1] https://tools.ietf.org/html/rfc5389#section-6 - abstract: why is only sending "media" mentioned here? What about data channels? And the body of the document in fact says this all applies to any non-ICE data and not only media. - intro: "initial consent to send by performing STUN" I do not find the word consent in either rfc5245 or 3489, but perhaps it is used somewhere else. Where? And with what meaning? - section 4, 2nd last para - I think the conclusion is bogus. An implementation knows when the keying it's using can not involve >1 (nominally operating) party. - 5.1, 3rd para: "Explicit consent to send is obtained..." is misleading. That is not a concept that an implementation of STUN will embody. - 5.1, What is the "Note" about TCP for? Why is this needed?
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- [rtcweb] TURN permissions for private ips (was: R… Philipp Hancke
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] [tram] TURN permissions for private … Eric Rescorla
- Re: [rtcweb] [tram] TURN permissions for private … Philipp Hancke
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Xavier Marjou
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Roman Shpount
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Pal Martinsen (palmarti)
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Martin Thomson
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Cullen Jennings
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti