Re: [irsg] Meetecho for interims?
Carsten Bormann <cabo@tzi.org> Sun, 02 August 2020 19:28 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: wgchairs@ietfa.amsl.com
Delivered-To: wgchairs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00BE3A0B38 for <wgchairs@ietfa.amsl.com>; Sun, 2 Aug 2020 12:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM8ulOMJrjlh for <wgchairs@ietfa.amsl.com>; Sun, 2 Aug 2020 12:28:25 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 309CF3A078F for <wgchairs@ietf.org>; Sun, 2 Aug 2020 12:28:24 -0700 (PDT)
Received: from [172.16.42.101] (p5089ae91.dip0.t-ipconnect.de [80.137.174.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4BKWJj28G1z1048; Sun, 2 Aug 2020 21:28:21 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Subject: Re: [irsg] Meetecho for interims?
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <20200802025303.GG1772@faui48f.informatik.uni-erlangen.de>
Date: Sun, 02 Aug 2020 21:28:20 +0200
Cc: Leif Johansson <leifj@sunet.se>, WG Chairs <wgchairs@ietf.org>
X-Mao-Original-Outgoing-Id: 618089300.735782-a4dca0e03a885fc7e5d455495ca30a92
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE6B8F66-D331-48CE-AE76-6972FD5CEB11@tzi.org>
References: <B3C59EE7-67C5-44F1-9A1B-6453267B8B58@tzi.org> <C0FD0348-93CD-417E-93E2-F8FA987C0A93@sunet.se> <07039CD4-D25E-46A3-A4AA-D34039AD5C35@tzi.org> <20200802025303.GG1772@faui48f.informatik.uni-erlangen.de>
To: Toerless Eckert <tte@cs.fau.de>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/wgchairs/Wl0S8Wv9UpSCDiDbRa5Z256wRao>
X-BeenThere: wgchairs@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Working Group Chairs <wgchairs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wgchairs/>
List-Post: <mailto:wgchairs@ietf.org>
List-Help: <mailto:wgchairs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2020 19:28:28 -0000
Hi Toerless, I really didn’t want to further extend this part of the thread. But it seems my position can easily be misunderstood. > What specifically are the technical risks for which you would not have joined > a ZVC meeting, such as one of the IETF108 side meetings that used zoom ? > (or for that matter of course future interims, which this thread is about) The technical risks, and ZVC’s moves to appear getting them covered, are well documented. I cited Steven Bellovin’s piece that came to the conclusion that these are manageable for the kinds of communication that are similar to what we do in open meetings. (I don’t agree with respect to system security.) However, the reason I’m not going to join conferences based on ZVC products is mainly Ethical, with the technical issues playing second fiddle. > If the reason is fear of unknown undetected security risk due to lack of > trust into the security diligence of ZVC, would using the RTCweb browser > client instead of the native client resolve this issue ? Certainly not the Ethical issues. On the technical side, I do believe that I should prefer browser access over installing vendor-supplied apps with wide access to my system. But, again, see Steve’s counterpoint on this specific issue. As a general observation, it is enlightening to which level of criminal energy (technical term here, not the legal one) the ZVC developers have risen to circumvent CORS for their backdoor; it does not seem far-fetched to assume there will be other attacks on browser security when the browser security features happen to get in the way of ZVC corporate policy. > If we want future interims like past interims to be publically announced > without participant auhentication, i think zoombombing would be a risk > for any platform we choose: meetecho, webex, zoom, BBB, whatever. Even discussing Zooombombing as a security issue makes me question whether you have started to consider the real issues. However, let me point out that conferencing systems based on authorization, such as meetecho or BBB (if correctly configured) only have the problem as far as the authorization can be gamed. > Leaves as the biggest risk AFAIK the problem of clients creating backdoors, > and i would hope that w3c/ietf work on browser client platform security > would be sufficient. (See above.) Fool me once, shame on you; fool me twice, shame on me. Grüße, Carsten
- Meetecho for interims? John Scudder
- Re: Meetecho for interims? Benjamin Kaduk
- Re: Meetecho for interims? Fred Baker
- Re: Meetecho for interims? Jeff Tantsura
- Re: Meetecho for interims? Jim Fenton
- Re: Meetecho for interims? Spencer Dawkins at IETF
- Re: Meetecho for interims? Carsten Bormann
- Re: Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert