Re: [rtcweb] Stephen Farrell's Discuss on draft-ietf-rtcweb-stun-consent-freshness-15: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 05 August 2015 17:06 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 000561B3209; Wed, 5 Aug 2015 10:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3HvCJBlhUIH; Wed, 5 Aug 2015 10:06:30 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07F781B31F7; Wed, 5 Aug 2015 10:06:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C9263BE7C; Wed, 5 Aug 2015 18:06:28 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sVBYnnrFkyP; Wed, 5 Aug 2015 18:06:28 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6A11FBE88; Wed, 5 Aug 2015 18:06:27 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1438794387; bh=O692CJL1Mfbe8PyzEw5u0kavUQiU/jYbz0gJe+I4uOw=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=uUo5kNZnY4cnilNhfMzmf4dbb3BGtxX7wK2UMU2g2ZQufHWFfGUoFkjwJjRGiQsTr nJGUVn4ZrjuEq77nz6rJrP4TX2yzAgiWFAEfpPe6Oi8nG2Wc8QX+0wSZBrQOLPLz7x +YhRWtyqCUue8s9HRqXscOx+ecKBZ/bY3OZD0HZU=
Message-ID: <55C24293.5000603@cs.tcd.ie>
Date: Wed, 05 Aug 2015 18:06:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com>
In-Reply-To: <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/xpjdX4liVS0PdDfyQnxLvlMw4os>
Cc: draft-ietf-rtcweb-stun-consent-freshness@ietf.org, rtcweb-chairs@ietf.org, draft-ietf-rtcweb-stun-consent-freshness.shepherd@ietf.org, "rtcweb@ietf.org" <rtcweb@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-rtcweb-stun-consent-freshness.ad@ietf.org
Subject: Re: [rtcweb] Stephen Farrell's Discuss on draft-ietf-rtcweb-stun-consent-freshness-15: (with DISCUSS and COMMENT)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 17:06:33 -0000
Hiya. On 05/08/15 16:00, Eric Rescorla wrote: > On Wed, Aug 5, 2015 at 6:06 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> Stephen Farrell has entered the following ballot position for >> draft-ietf-rtcweb-stun-consent-freshness-15: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-rtcweb-stun-consent-freshness/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> >> Apologies that these discuss points are maybe asking >> fairly fundamental questions. That could be that this >> is really the first of the new security things required >> by rtcweb to get to the IESG. Or maybe I'm misreading >> stuff here, if so, sorry;-) >> >> (1) Why call this "consent?" That term is (ab)used in >> many ways on the web, and adding another variation >> without a definition that distinguishes this from "click >> ok to my 200 page anti-privacy policy" or "remember that >> example.com is allowed use my camera/mic" seems like a >> terrible idea. I also don't see how this can ever be >> something to which a normal person can "consent" (i.e. >> consciously agree while fully understanding) so the term >> is IMO very misleading, and will I fear be used to >> mislead further. (See also some of the comments below - >> I do not think we ought be as fast and loose with this >> aleady terribly badly used term.) To summarise: I'd love >> if you did s/consent/anything-else/g but if not, please >> define consent here in a way that clearly and >> unambiguously distinguishes this usage from other abuses >> of the term. >> > > You should probably propose a new term at this point. Really? Happy to try (and fail:-) How'd "willing to take rtcweb traffic" work? I suspect it wouldn't though. But I'm not clear if you're agreeing that that term is problematic or just asking me to suggest something in the hope I realise the futility of what I'm requesting? > > > (2) WebRTC does not require STUN or TURN servers for >> some calls, even if it does for many. Why is it ok to >> require such a server be present in all calls (which I >> think this means) espcially when that means exposing >> additional meta-data (calling parties in a case where >> the servers weren't needed and call duration in all >> cases) to those servers when that is not always >> necessary? >> > > I'm not sure what you mean by "OK" and "require". > The physics of the > situation > is that if you want to do a call between two people not on the same network, > then you minimally need STUN. Sure. But if they're on the same n/w? Do we agree that in that case, there shouldn't be a need for a new STUN or TURN server in the call? And that if this draft meant such a server was needed even in that case, then that'd be an issue? > If you want it to (almost) always work you > need TURN. This isn't a spec requirement but just a result of the network > topology. As far as I know, the specs don't require that the site supply > a STUN/TURN server and the implementations don't either, but I'm not > sure what else you're looking for. So one non-inevitable consequence of the how this draft is written is that the STUN/TURN server gets to know the call duration. That could have been avoided I think if some other design had been chosen. Part of my question then is why exposing that additional meta-data to a server that most users won't know exists, and that is likely controlled by some entity the user has no clue is even involved in their calls, is acceptable. >> (3) (end of p5) You have a MUST NOT here that is >> depenedent on current browser implementations. Why is >> that an IETF thing and not a W3C thing? But more >> interestingly, can one securely use this protocol >> without the kind of JS vs. browser sandboxing etc that's >> needed in the web? If the answer is "no" then don't you >> need to say that this protocol can only safely be used >> for such implementations? (In section 2, which almost >> but not quite says that.) >> > > This is just only relevant in this case. It doesn't apply to non-JS > implementations. Not sure I'm following. Are you saying that this protocol would be safe even if there wasn't the split between JS and non-JS code running on the browser? If so, that's good. Cheers, S. > > -Ekr > > ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> - abstract: why is only sending "media" mentioned here? >> What about data channels? And the body of the document >> in fact says this all applies to any non-ICE data and >> not only media. >> >> - intro: "initial consent to send by performing STUN" I >> do not find the word consent in either rfc5245 or 3489, >> but perhaps it is used somewhere else. Where? And with >> what meaning? >> >> - section 4, 2nd last para - I think the conclusion is >> bogus. An implementation knows when the keying it's >> using can not involve >1 (nominally operating) party. >> >> - 5.1, 3rd para: "Explicit consent to send is >> obtained..." is misleading. That is not a concept that >> an implementation of STUN will embody. >> >> - 5.1, What is the "Note" about TCP for? Why is this >> needed? >> >> >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> >
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- [rtcweb] TURN permissions for private ips (was: R… Philipp Hancke
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] [tram] TURN permissions for private … Eric Rescorla
- Re: [rtcweb] [tram] TURN permissions for private … Philipp Hancke
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Xavier Marjou
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Roman Shpount
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Pal Martinsen (palmarti)
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Martin Thomson
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Cullen Jennings
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti