Re: [rtcweb] 答复: Fwd: I-D Action: draft-westerlund-rtcweb-codec-control-00.txt
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 21 May 2012 07:01 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CAC321F846A for <rtcweb@ietfa.amsl.com>; Mon, 21 May 2012 00:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.797
X-Spam-Level:
X-Spam-Status: No, score=-105.797 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, SARE_SUB_ENC_UTF8=0.152, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTRTbz6qVpQQ for <rtcweb@ietfa.amsl.com>; Mon, 21 May 2012 00:01:26 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id E93DB21F8468 for <rtcweb@ietf.org>; Mon, 21 May 2012 00:01:25 -0700 (PDT)
X-AuditID: c1b4fb25-b7c5aae000007a47-73-4fb9e79cab82
Received: from esessmw0256.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id CF.59.31303.C97E9BF4; Mon, 21 May 2012 08:58:37 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0256.eemea.ericsson.se (153.88.115.97) with Microsoft SMTP Server id 8.3.213.0; Mon, 21 May 2012 08:58:36 +0200
Message-ID: <4FB9E79C.1050300@ericsson.com>
Date: Mon, 21 May 2012 08:58:36 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: 邓灵莉/denglingli <denglingli@chinamobile.com>
References: <20120516140228.4049.34228.idtracker@ietfa.amsl.com> <4FB3B55F.3080607@ericsson.com> <003f01cd36f3$5302aed0$f9080c70$@chinamobile.com>
In-Reply-To: <003f01cd36f3$5302aed0$f9080c70$@chinamobile.com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] 答复: Fwd: I-D Action: draft-westerlund-rtcweb-codec-control-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2012 07:01:27 -0000
On 2012-05-21 03:44, 邓灵莉/denglingli wrote: > Hi, Magnus > > It seems to me that there may be another security threat in multi-party > applications of COP, where an entity needs to combine multiple sets of > requested parameters, than the one discussed in the draft. > That the initial downgrading of the combined potential ceiling for collected > parameters for media quality (codec capabilities plus COP parameters as > stated in Section 5) through SDP transaction by a malicious participant. > Unlike the one stated in Section 8, the latter behavior only happens once > and could neither been distinguished afterwards as "actively harmful" nor to > be ignored in order to serve actually poorly-equipped users. > Would that be an issue? > Yes, this is clearly a security threat to the complete solution. Not that it is specific to codec control. It is a threat to all things expressed in the SDP, like which codecs being used, security mechanism is negotiated etc. In the WebRTC security architecture my undestanding is that it so far are a deliberate choice of allowing the JavaScript and the web browser to be allowed to modify the SDP if desired by them. Thus a security model based on hop by hop security for the JSEP/SDP messages has been selected. For example the usage of HTTPS / Websocket over TLS can provide the security to prevent third parties not directly addressed from seeing and affecting the JSEP/SDP messages. Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] Fwd: I-D Action: draft-westerlund-rtcweb… Magnus Westerlund
- Re: [rtcweb] 答复: Fwd: I-D Action: draft-westerlun… Magnus Westerlund
- [rtcweb] 答复: 答复: Fwd: I-D Action: draft-westerlun… 邓灵莉/denglingli
- Re: [rtcweb] 答复: Fwd: I-D Action: draft-westerlun… Martin Thomson
- [rtcweb] 答复: 答复: Fwd: I-D Action: draft-westerlun… 邓灵莉/denglingli
- Re: [rtcweb] 答复: 答复: Fwd: I-D Action: draft-weste… Martin Thomson
- [rtcweb] 答复: 答复: 答复: Fwd: I-D Action: draft-weste… 邓灵莉/denglingli
- Re: [rtcweb] 答复: 答复: Fwd: I-D Action: draft-weste… Magnus Westerlund
- [rtcweb] 答复: 答复: 答复: Fwd: I-D Action: draft-weste… 邓灵莉/denglingli