[Bug 26401] Key message destinationURL usage is not reflected in examples from bugzilla@jessica.w3.org on 2014-08-26 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 26 Aug 2014 17:39:56 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26401-2486-gickVlZkCj@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26401

--- Comment #10 from Joe Steele <steele@adobe.com> ---
(In reply to Mark Watson from comment #9)
> To re-iterate what I said on the call: I see legitimate use-cases for the
> CDM to supply routing information along with the message. If we don't
> provide an explicit field for this CDMs will just redefine their message
> format to be a ( routing, message ) pair.
> 
> I don't see how we could ban CDMs from basing this routing information in
> part on information in the initData.

Agreed. We would definitely do this for our CDM.  

> 
> The question of the security of the initData is a general one. Keysystem
> designs need to consider the security implications of using this
> information. Obviously, the security considerations for information that
> might influence message routing is different from that for information which
> might only influence message contents, since you could cause the message not
> to be sent to the expected place. That is, an attack on the message contents
> could be mitigated at the server, but an attack on the message routing
> cannot, because the server might never see the message.
> 
> Perhaps we need some information in the security considerations about the
> need to protect initData ?

This is a good idea. However we already have some text in section 7.1.3
Tracking to address this (see "Encryption of user identifiers"). Maybe we
should expand that text to specifically discuss when identifiers are sent as
part of a key request message?

> 
> As far as this bug goes, we should avoid showing an example with a security
> hole, so perhaps the example should mention that the CDM needs to have
> validated the URL or even show the page validating the URL ?

That makes some sense. Validation of the domain and protocol being sent to
should be possible for all DRM systems I am aware of. 

One thing I failed to mention in the meeting today - the list of possible URLs
for the key request to be sent to should be known by the application. The
specific concern I have is that there may be a list of valid URLs and the
application does not know apriori which one the message is intended for. In
this case the application could just validate against a list of known domains
and protocols.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 26 August 2014 17:39:57 UTC