[RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web Real-Time Communication Use-cases and Requirements)

Schmidt, Christian 1. (NSN - DE/Munich) christian.1.schmidt at nsn.com
Wed Mar 9 10:23:12 CET 2011 

Hi Harald,

thank you for the fast reply. I just tried to download a popular
Webbrowser and received an offer for an exe file based http://..
What about this browser? Can I trust him?

BR
Christian


-----Original Message-----
From: ext Harald Alvestrand [mailto:harald at alvestrand.no] 
Sent: Wednesday, March 09, 2011 10:02 AM
To: Schmidt, Christian 1. (NSN - DE/Munich)
Cc: Christer Holmberg; Ted Hardie; rtc-web at alvestrand.no
Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web
Real-Time Communication Use-cases and Requirements)

On 03/09/2011 09:45 AM, Schmidt, Christian 1. (NSN - DE/Munich) wrote:
> Hi Harald
>
>> In the total RTCWEB effort (IETF and W3C), we need to consider the
fact
> that the user will likely have more trust in the non-maliciouisness of
> the browser than in the non-maliciousness of Javascript downloaded
from
> a Web page.
>
> Is this also the case, even if the browser was downloaded from a Web
> page and
> Several times updated via Internet?
Good question, unfortunately not many users seem to think that far....

If it was downloaded from a web page using HTTPS with a valid 
certificate chain, and each update followed the same constraint 
(possibly with additional verification mechanisms), you should have as 
much faith in the browser as you have in the integrity of the least 
trustworthy of the links involved in that process.

The same actually goes for the Javascript, but where browser 
downloads/updates happen to an user a few times a month, Javascript 
downloads happen multiple times a minute.
> BR
> Christian
>
>
>
> -----Original Message-----
> From: rtc-web-bounces at alvestrand.no
> [mailto:rtc-web-bounces at alvestrand.no] On Behalf Of ext Harald
> Alvestrand
> Sent: Tuesday, March 08, 2011 2:35 PM
> To: Christer Holmberg
> Cc: Ted Hardie; rtc-web at alvestrand.no
> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web
> Real-Time Communication Use-cases and Requirements)
>
> On 03/08/11 14:08, Christer Holmberg wrote:
>> Hi Ted,
>>
>> Our understanding, based on the discussions regarding the charter, is
> that the working group will focus on the browser, with the purpose
being
> to ensure alignment with the work in W3C.
>> Therefore our focus has been on browser based applications, and we
> haven't really considered native applications.
>> If that is unclear in the draft, we can clarify it in the next
> version.
> One nice feature of the doc is that it has a few different use cases
> that don't strictly use web browsers - in particular, the talent scout
> of section 4.6.1 uses an app on a smartphone while his manager uses a
> desktop PC (presumably with a browser-based app).
>
> In the total RTCWEB effort (IETF and W3C), we need to consider the
fact
> that the user will likely have more trust in the non-maliciouisness of
> the browser than in the non-maliciousness of Javascript downloaded
from
> a Web page.
>
> In the strict IETF effort, the Javascript API boundary is out-of-scope
-
>
> but at the moment, this is the mailing list that contains the people
> interested in both efforts; we haven't started splitting up yet.
>
> What I draw from that is that the IETF needs to specify security in
> terms of acceptable and unacceptable behaviour of end systems, whether
> they are browsers or not (video slamming, congestion-causing behaviour
> and making eavesdroppers' lives easy are all failures that can be
> observed on the network interface), while the W3C effort will have to
> address means of making it easy to prevent those problems by
controlling
>
> the API presented to the less trusted parts of the overall system (the
> downloaded Javascripts).
>
>                Harald
>
>> Regards,
>>
>> Christer
>>
>>
>>
>>> -----Original Message-----
>>> From: Ted Hardie [mailto:ted.ietf at gmail.com]
>>> Sent: 8. maaliskuuta 2011 6:23
>>> To: Christer Holmberg
>>> Cc: rtc-web at alvestrand.no
>>> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00
>>> (Web Real-Time Communication Use-cases and Requirements)
>>>
>>> Hi Christer,
>>>
>>> Thanks for putting together the document.  One thing that
>>> struck me in reading it is that it has both some use cases in
>>> which the downloadable web application is paramount, but
>>> others (notably 4.4 and
>>> 4.6) in which the description could equally apply to
>>> standalone applications.  In side conversations, Harald and I
>>> have discussed whether the threat model in standalone
>>> applications, even those using the same underlying protocol
>>> mechanics for rendezvous and media streaming, is really the
>>> same.  Would you see a MMORG application using this method as
>>> having different threats than a downloaded casual game?
>>>
>>> regards,
>>>
>>> Ted
>>>
>> _______________________________________________
>> RTC-Web mailing list
>> RTC-Web at alvestrand.no
>> http://www.alvestrand.no/mailman/listinfo/rtc-web
>>
> _______________________________________________
> RTC-Web mailing list
> RTC-Web at alvestrand.no
> http://www.alvestrand.no/mailman/listinfo/rtc-web
>

More information about the RTC-Web mailing list