Re: ACTION-40: Propose text for bug 17202 to propose how to share keys without leakage of information from Joe Steele on 2013-10-28 (public-html-media@w3.org from October 2013)

From: Joe Steele <steele@adobe.com>
Date: Mon, 28 Oct 2013 11:32:21 -0700
To: Mark Watson <watsonm@netflix.com>
CC: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <74002C3E-CB14-4F8A-8832-6B265DB3DB56@adobe.com>

I wanted to be explicit because the CDM and the interface to the CDM is not specified. 
This could be implemented completely under the covers at the CDM interface layer. 
But it needs to be noted somehow in the specification as a requirement. 

Joe Steele
steele@adobe.com

On Oct 28, 2013, at 10:13 AM, Mark Watson <watsonm@netflix.com> wrote:

> Hi Joe,
> 
> Why does the application need to be involved ? If two sites are "CORS-same-origin" the UA knows this and between the UA and the CDM can't they just make the keys of one origin available to the other without involving the application ?
> 
> ...Mark
> 
> 
> 
> 
> On Mon, Oct 28, 2013 at 9:57 AM, Joe Steele <steele@adobe.com> wrote:
> I have a rough proposal here, please comment/critique ASAP.
> 
> In order to share keys between two sites, there are two concerns. 
> 
> The first is how to ensure that an untrusted site does not get access to a key which is used by another site. The concern here is that the ability to detect the existence of keys for a particular site is information leakage, and even without an explicit API the lack of a key request would allow detection. 
> 
> The second is that when two sites trust each other and *could* share keys, it is not clear how sites would discover those shared keys. One method would be allowing for generally shared information between sites at the CDM layer, but this could again lead to information leakage given that CDMs may communicate in an opaque manner. 
> 
> I propose that the browser uses CORS Access-Control-Allow-Origin headers for the sites to determine the trust relationships between them. The browser can then provide a list of active session ids for sites trusting the current site with the needkey message when encountering encrypted content. The application can this pass this information down to the CDM which can then use those keys when appropriate. This will result in no information leakage, since the sites are in control of the trust relationship and the trust relationship is visible to the end user by virtue of being detailed in the CORS headers.
> 
> This has a few implications:
> * The CDM must be creating the session ID if it wants to support this
> * The browser must keep track of session IDs in relation to CORS trust relationships 
> * The needkey message needs another parameter - a list of session IDs which may be empty
> * The createSession method needs another parameter - a list of session IDs which may be empty
> 
> I would like feedback from browser vendors on how difficult this is to implement. The clear benefit is client performance and battery life. The decreased network traffic is negligible.
> 
> Joe Steele
> steele@adobe.com
> 
>

Received on Monday, 28 October 2013 18:32:49 UTC