ACTION-40: Propose text for bug 17202 to propose how to share keys without leakage of information from Joe Steele on 2013-10-28 (public-html-media@w3.org from October 2013)

From: Joe Steele <steele@adobe.com>
Date: Mon, 28 Oct 2013 09:57:08 -0700
To: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CF9140D7-6078-4D5A-83F2-A49549D9AECA@adobe.com>

I have a rough proposal here, please comment/critique ASAP.

In order to share keys between two sites, there are two concerns.

The first is how to ensure that an untrusted site does not get access to a key which is used by another site. The concern here is that the ability to detect the existence of keys for a particular site is information leakage, and even without an explicit API the lack of a key request would allow detection.

The second is that when two sites trust each other and *could* share keys, it is not clear how sites would discover those shared keys. One method would be allowing for generally shared information between sites at the CDM layer, but this could again lead to information leakage given that CDMs may communicate in an opaque manner.

I propose that the browser uses CORS Access-Control-Allow-Origin headers for the sites to determine the trust relationships between them. The browser can then provide a list of active session ids for sites trusting the current site with the needkey message when encountering encrypted content. The application can this pass this information down to the CDM which can then use those keys when appropriate. This will result in no information leakage, since the sites are in control of the trust relationship and the trust relationship is visible to the end user by virtue of being detailed in the CORS headers.

This has a few implications:
* The CDM must be creating the session ID if it wants to support this
* The browser must keep track of session IDs in relation to CORS trust relationships
* The needkey message needs another parameter - a list of session IDs which may be empty
* The createSession method needs another parameter - a list of session IDs which may be empty

I would like feedback from browser vendors on how difficult this is to implement. The clear benefit is client performance and battery life. The decreased network traffic is negligible.

Joe Steele
steele@adobe.com

Received on Monday, 28 October 2013 16:57:35 UTC