[RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web Real-Time Communication Use-cases and Requirements)

Harald Alvestrand harald at alvestrand.no
Wed Mar 9 11:02:27 CET 2011 

On 03/09/11 10:23, Schmidt, Christian 1. (NSN - DE/Munich) wrote:
> Hi Harald,
>
> thank you for the fast reply. I just tried to download a popular
> Webbrowser and received an offer for an exe file based http://..
> What about this browser? Can I trust him?
Good question. I'll file a bug against the installer of at least one.....
> BR
> Christian
>
>
> -----Original Message-----
> From: ext Harald Alvestrand [mailto:harald at alvestrand.no]
> Sent: Wednesday, March 09, 2011 10:02 AM
> To: Schmidt, Christian 1. (NSN - DE/Munich)
> Cc: Christer Holmberg; Ted Hardie; rtc-web at alvestrand.no
> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web
> Real-Time Communication Use-cases and Requirements)
>
> On 03/09/2011 09:45 AM, Schmidt, Christian 1. (NSN - DE/Munich) wrote:
>> Hi Harald
>>
>>> In the total RTCWEB effort (IETF and W3C), we need to consider the
> fact
>> that the user will likely have more trust in the non-maliciouisness of
>> the browser than in the non-maliciousness of Javascript downloaded
> from
>> a Web page.
>>
>> Is this also the case, even if the browser was downloaded from a Web
>> page and
>> Several times updated via Internet?
> Good question, unfortunately not many users seem to think that far....
>
> If it was downloaded from a web page using HTTPS with a valid
> certificate chain, and each update followed the same constraint
> (possibly with additional verification mechanisms), you should have as
> much faith in the browser as you have in the integrity of the least
> trustworthy of the links involved in that process.
>
> The same actually goes for the Javascript, but where browser
> downloads/updates happen to an user a few times a month, Javascript
> downloads happen multiple times a minute.
>> BR
>> Christian
>>
>>
>>
>> -----Original Message-----
>> From: rtc-web-bounces at alvestrand.no
>> [mailto:rtc-web-bounces at alvestrand.no] On Behalf Of ext Harald
>> Alvestrand
>> Sent: Tuesday, March 08, 2011 2:35 PM
>> To: Christer Holmberg
>> Cc: Ted Hardie; rtc-web at alvestrand.no
>> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web
>> Real-Time Communication Use-cases and Requirements)
>>
>> On 03/08/11 14:08, Christer Holmberg wrote:
>>> Hi Ted,
>>>
>>> Our understanding, based on the discussions regarding the charter, is
>> that the working group will focus on the browser, with the purpose
> being
>> to ensure alignment with the work in W3C.
>>> Therefore our focus has been on browser based applications, and we
>> haven't really considered native applications.
>>> If that is unclear in the draft, we can clarify it in the next
>> version.
>> One nice feature of the doc is that it has a few different use cases
>> that don't strictly use web browsers - in particular, the talent scout
>> of section 4.6.1 uses an app on a smartphone while his manager uses a
>> desktop PC (presumably with a browser-based app).
>>
>> In the total RTCWEB effort (IETF and W3C), we need to consider the
> fact
>> that the user will likely have more trust in the non-maliciouisness of
>> the browser than in the non-maliciousness of Javascript downloaded
> from
>> a Web page.
>>
>> In the strict IETF effort, the Javascript API boundary is out-of-scope
> -
>> but at the moment, this is the mailing list that contains the people
>> interested in both efforts; we haven't started splitting up yet.
>>
>> What I draw from that is that the IETF needs to specify security in
>> terms of acceptable and unacceptable behaviour of end systems, whether
>> they are browsers or not (video slamming, congestion-causing behaviour
>> and making eavesdroppers' lives easy are all failures that can be
>> observed on the network interface), while the W3C effort will have to
>> address means of making it easy to prevent those problems by
> controlling
>> the API presented to the less trusted parts of the overall system (the
>> downloaded Javascripts).
>>
>>                 Harald
>>
>>> Regards,
>>>
>>> Christer
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Ted Hardie [mailto:ted.ietf at gmail.com]
>>>> Sent: 8. maaliskuuta 2011 6:23
>>>> To: Christer Holmberg
>>>> Cc: rtc-web at alvestrand.no
>>>> Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00
>>>> (Web Real-Time Communication Use-cases and Requirements)
>>>>
>>>> Hi Christer,
>>>>
>>>> Thanks for putting together the document.  One thing that
>>>> struck me in reading it is that it has both some use cases in
>>>> which the downloadable web application is paramount, but
>>>> others (notably 4.4 and
>>>> 4.6) in which the description could equally apply to
>>>> standalone applications.  In side conversations, Harald and I
>>>> have discussed whether the threat model in standalone
>>>> applications, even those using the same underlying protocol
>>>> mechanics for rendezvous and media streaming, is really the
>>>> same.  Would you see a MMORG application using this method as
>>>> having different threats than a downloaded casual game?
>>>>
>>>> regards,
>>>>
>>>> Ted
>>>>
>>> _______________________________________________
>>> RTC-Web mailing list
>>> RTC-Web at alvestrand.no
>>> http://www.alvestrand.no/mailman/listinfo/rtc-web
>>>
>> _______________________________________________
>> RTC-Web mailing list
>> RTC-Web at alvestrand.no
>> http://www.alvestrand.no/mailman/listinfo/rtc-web
>>
>

More information about the RTC-Web mailing list