[secdir] secdir review of draft-ietf-rtcweb-overview
Dan Harkins <dharkins@lounge.org> Fri, 10 March 2017 23:36 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77BE9129490; Fri, 10 Mar 2017 15:36:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX8HfWnaZ1xC; Fri, 10 Mar 2017 15:36:47 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 54FED129462; Fri, 10 Mar 2017 15:36:44 -0800 (PST)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 123D1102241F0; Fri, 10 Mar 2017 15:36:44 -0800 (PST)
From: Dan Harkins <dharkins@lounge.org>
To: "iesg@ietf.org" <iesg@ietf.org>, secdir@ietf.org, draft-ietf-rtcweb-overview.all@ietf.org
Message-ID: <97ebdafb-439f-8dee-bd55-cc24eb44b287@lounge.org>
Date: Fri, 10 Mar 2017 15:36:41 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------25961B6562F3BE97A846FFDE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/nZ2gtCPzbWl5rvoFjZ35E9BI4N4>
Subject: [secdir] secdir review of draft-ietf-rtcweb-overview
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 23:36:48 -0000
Greetings, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This I-D is an "Applicability Statement" and does not describe a protocol but, instead, a set of building blocks that should be accessible through a Javascript API in a standard browser. These building blocks are supposed to allow browsers to communicate with each other using real-time services. The requirements this I-D places on implementations is to implement some other I-D or RFC, and that includes security relevant requirements. I did not follow the references and look at the WebRTC security draft or the WebRTC security architecture draft. As it really doesn't provide any new protocol there really aren't any security relevant vectors to look at. Having said that, the Security Considerations are well done by enumerating the points of concern regarding web-enabled real-time communications. This document is READY for publication. regards, Dan.