[RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web Real-Time Communication Use-cases and Requirements)
Schmidt, Christian 1. (NSN - DE/Munich)
christian.1.schmidt at nsn.com
Wed Mar 9 09:45:38 CET 2011
Hi Harald
>In the total RTCWEB effort (IETF and W3C), we need to consider the fact
that the user will likely have more trust in the non-maliciouisness of
the browser than in the non-maliciousness of Javascript downloaded from
a Web page.
Is this also the case, even if the browser was downloaded from a Web
page and
Several times updated via Internet?
BR
Christian
-----Original Message-----
From: rtc-web-bounces at alvestrand.no
[mailto:rtc-web-bounces at alvestrand.no] On Behalf Of ext Harald
Alvestrand
Sent: Tuesday, March 08, 2011 2:35 PM
To: Christer Holmberg
Cc: Ted Hardie; rtc-web at alvestrand.no
Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web
Real-Time Communication Use-cases and Requirements)
On 03/08/11 14:08, Christer Holmberg wrote:
> Hi Ted,
>
> Our understanding, based on the discussions regarding the charter, is
that the working group will focus on the browser, with the purpose being
to ensure alignment with the work in W3C.
>
> Therefore our focus has been on browser based applications, and we
haven't really considered native applications.
>
> If that is unclear in the draft, we can clarify it in the next
version.
One nice feature of the doc is that it has a few different use cases
that don't strictly use web browsers - in particular, the talent scout
of section 4.6.1 uses an app on a smartphone while his manager uses a
desktop PC (presumably with a browser-based app).
In the total RTCWEB effort (IETF and W3C), we need to consider the fact
that the user will likely have more trust in the non-maliciouisness of
the browser than in the non-maliciousness of Javascript downloaded from
a Web page.
In the strict IETF effort, the Javascript API boundary is out-of-scope -
but at the moment, this is the mailing list that contains the people
interested in both efforts; we haven't started splitting up yet.
What I draw from that is that the IETF needs to specify security in
terms of acceptable and unacceptable behaviour of end systems, whether
they are browsers or not (video slamming, congestion-causing behaviour
and making eavesdroppers' lives easy are all failures that can be
observed on the network interface), while the W3C effort will have to
address means of making it easy to prevent those problems by controlling
the API presented to the less trusted parts of the overall system (the
downloaded Javascripts).
Harald
> Regards,
>
> Christer
>
>
>
>> -----Original Message-----
>> From: Ted Hardie [mailto:ted.ietf at gmail.com]
>> Sent: 8. maaliskuuta 2011 6:23
>> To: Christer Holmberg
>> Cc: rtc-web at alvestrand.no
>> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00
>> (Web Real-Time Communication Use-cases and Requirements)
>>
>> Hi Christer,
>>
>> Thanks for putting together the document. One thing that
>> struck me in reading it is that it has both some use cases in
>> which the downloadable web application is paramount, but
>> others (notably 4.4 and
>> 4.6) in which the description could equally apply to
>> standalone applications. In side conversations, Harald and I
>> have discussed whether the threat model in standalone
>> applications, even those using the same underlying protocol
>> mechanics for rendezvous and media streaming, is really the
>> same. Would you see a MMORG application using this method as
>> having different threats than a downloaded casual game?
>>
>> regards,
>>
>> Ted
>>
> _______________________________________________
> RTC-Web mailing list
> RTC-Web at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/rtc-web
>
_______________________________________________
RTC-Web mailing list
RTC-Web at alvestrand.no
http://www.alvestrand.no/mailman/listinfo/rtc-web
More information about the RTC-Web
mailing list