Re: [rtcweb] Text proposal for CNAME in draft-ietf-rtcweb-rtp-usage

Martin Thomson <martin.thomson@gmail.com> Tue, 15 April 2014 17:33 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91EC81A01E7 for <rtcweb@ietfa.amsl.com>; Tue, 15 Apr 2014 10:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2yLAMWmFL-V for <rtcweb@ietfa.amsl.com>; Tue, 15 Apr 2014 10:33:07 -0700 (PDT)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0CC1A02E3 for <rtcweb@ietf.org>; Tue, 15 Apr 2014 10:33:07 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id q58so9631265wes.6 for <rtcweb@ietf.org>; Tue, 15 Apr 2014 10:33:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JkbclcbV3Od+bSrsUdjs0UhquxvWL7+NpgBQBlGtHM8=; b=lZ9fdWb+GC0QZPF9+yPMs7qi8Ktd/zM7eY1uuALZih7MVODlOIIBflgGEY8znurWk9 VYG2Hh+aLcKrx56C7p/21wrJ6xrNN6Q6dwVplfDgfiM1hdE1TUtx+yVJblkEYeaN/QMi e+8VQpX60LSZmkTR8iPv0Mr33QT8qn76mifZcw3HKd8mhGX/kL7FCfCHhXII+g6GHr5j 4H0Eka/R3vQKqbdbrzFH7+qTJsdWar4MMsjV/Lea4MzBWGKnrVyTPEj39YbMn7RsB/kW AkuL+fvNvTztgDHNQrDGbrbcgLJQy0lLreBKvv295orqxWF5quU7glK0DUvWF4KAHLtA 4y/g==
MIME-Version: 1.0
X-Received: by 10.180.13.180 with SMTP id i20mr15392357wic.56.1397583184048; Tue, 15 Apr 2014 10:33:04 -0700 (PDT)
Received: by 10.227.144.132 with HTTP; Tue, 15 Apr 2014 10:33:04 -0700 (PDT)
In-Reply-To: <534D21C2.20300@ericsson.com>
References: <533E76AC.7030003@ericsson.com> <CABkgnnVD09V80OkXY=ZKicYhjBMR8XZMFYCXrMmHMkVWE7mwVw@mail.gmail.com> <005B30AC-F891-481E-A25A-D3705713F1D3@csperkins.org> <CABkgnnUSpeL8fv=7gRmM+QSYvFgd16r_2cP6J066DL+dkydrCg@mail.gmail.com> <534284B7.7010103@ericsson.com> <534D21C2.20300@ericsson.com>
Date: Tue, 15 Apr 2014 10:33:04 -0700
Message-ID: <CABkgnnWC9SCFbRqvnEkciqfHtwv6j48cLP0JeE4DfhH6cqToSw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/mAP0aT7_vNlf0VFIIId8U4TQ_nU
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, Colin Perkins <csp@csperkins.org>
Subject: Re: [rtcweb] Text proposal for CNAME in draft-ietf-rtcweb-rtp-usage
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 17:33:12 -0000

The text looks fine, with one comment.

On 15 April 2014 05:10, Magnus Westerlund
<magnus.westerlund@ericsson.com> wrote:
>       Note: It is important that the same CNAME is not used in different
>       communication session contexts or origins, as that could enable
>       tracking of a user and its device usage of different services.
>       See Section 4.4.1 of Security Considerations for WebRTC
>       [I-D.ietf-rtcweb-security] for further discussion.

I'd rather not have this hidden in a "Note", and I'd prefer if it were
more concrete.  I think that we need to say something like:

A different CNAME MUST be used for different RTCPeerConnection
instances.  Having two communication sessions with the same CNAME
could enable tracking of a user or device across different services
(see Section 4.4.1 of [security] for details).  A web application MAY
override the CNAME that is selected using the process in [RFC7022] to
allow for synchronization of disjoint sessions; [[this doesn't result
in a tracking issue, since the creation of matching CNAMEs depends on
existing tracking]].