Hi Harald
In the total RTCWEB effort (IETF and W3C), we need to consider the fact
that the user will likely have more trust in the non-maliciouisness of the browser than in the non-maliciousness of Javascript downloaded from a Web page. Is this also the case, even if the browser was downloaded from a Web page and Several times updated via Internet? BR Christian -----Original Message----- From: rtc-web-bounces@alvestrand.no [mailto:rtc-web-bounces@alvestrand.no] On Behalf Of ext Harald Alvestrand Sent: Tuesday, March 08, 2011 2:35 PM To: Christer Holmberg Cc: Ted Hardie; rtc-web@alvestrand.no Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web Real-Time Communication Use-cases and Requirements) On 03/08/11 14:08, Christer Holmberg wrote:
Hi Ted,
Our understanding, based on the discussions regarding the charter, is that the working group will focus on the browser, with the purpose being to ensure alignment with the work in W3C.
Therefore our focus has been on browser based applications, and we haven't really considered native applications.
If that is unclear in the draft, we can clarify it in the next version. One nice feature of the doc is that it has a few different use cases that don't strictly use web browsers - in particular, the talent scout of section 4.6.1 uses an app on a smartphone while his manager uses a desktop PC (presumably with a browser-based app).
In the total RTCWEB effort (IETF and W3C), we need to consider the fact that the user will likely have more trust in the non-maliciouisness of the browser than in the non-maliciousness of Javascript downloaded from a Web page. In the strict IETF effort, the Javascript API boundary is out-of-scope - but at the moment, this is the mailing list that contains the people interested in both efforts; we haven't started splitting up yet. What I draw from that is that the IETF needs to specify security in terms of acceptable and unacceptable behaviour of end systems, whether they are browsers or not (video slamming, congestion-causing behaviour and making eavesdroppers' lives easy are all failures that can be observed on the network interface), while the W3C effort will have to address means of making it easy to prevent those problems by controlling the API presented to the less trusted parts of the overall system (the downloaded Javascripts). Harald
Regards,
Christer
-----Original Message----- From: Ted Hardie [mailto:ted.ietf@gmail.com] Sent: 8. maaliskuuta 2011 6:23 To: Christer Holmberg Cc: rtc-web@alvestrand.no Subject: Re: [RTW] Draft new: draft-holmberg-rtcweb-ucreqs-00 (Web Real-Time Communication Use-cases and Requirements)
Hi Christer,
Thanks for putting together the document. One thing that struck me in reading it is that it has both some use cases in which the downloadable web application is paramount, but others (notably 4.4 and 4.6) in which the description could equally apply to standalone applications. In side conversations, Harald and I have discussed whether the threat model in standalone applications, even those using the same underlying protocol mechanics for rendezvous and media streaming, is really the same. Would you see a MMORG application using this method as having different threats than a downloaded casual game?
regards,
Ted
_______________________________________________ RTC-Web mailing list RTC-Web@alvestrand.no http://www.alvestrand.no/mailman/listinfo/rtc-web
_______________________________________________ RTC-Web mailing list RTC-Web@alvestrand.no http://www.alvestrand.no/mailman/listinfo/rtc-web