W3C home > Mailing lists > Public > public-web-security@w3.org > April 2014

Thoughts on WebRTC and the web security models / trust scoping

From: Wendy Seltzer <wseltzer@w3.org>
Date: Mon, 28 Apr 2014 16:47:15 -0400
Message-ID: <535EBE53.40203@w3.org>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Hi WebSec folks,

Prompted by a STREWS project report, but mostly riffing off it, I got to
thinking about the ways user perceptions and needs from Web security are
a mis-match with the web security model. In particular, we lack a
security model scoped appropriately to what people will likely want to
do with WebRTC (browser-to-browser real-time communications),
http://www.w3.org/2011/04/webrtc/ , and how to help users understand and
mitigate risks.

Globally, can we step back and ask what users will be wanting to secure
in a WebRTC usage, and what additional primitives are needed to give
them that ability -- or to make much clearer *whom* they will have to be
trusting when they can't get technical assurances of security. Can
WebRTC prompt us to look more closely at the Web security model and
scope the trust domains more closely to the activities.

The problems of trust scoping are myriad, including:

- CAs: once in the root CA store, CAs have the authority to issue
certificates for any domain, and there's no way to limit that (e.g., to
say that MIT's CA can sign certs only for mit.edu and subdomains).
DNSSEC could offer better granularity. Browsers are taking site-specific
measures, such as cert-pinning.

- "Origin": The Same Origin Policy depends on the concept of "origin",
and on its consistent implementation; both of which are challenged (see
expansion of the public suffix list with new domains and new delegation
models). All students, faculty, and alums serving content under mit.edu
are part of the same origin.

- Duration: Permissions may be scoped to site, application, or session
duration, yet none of these may match what a user intends to authorize.

- Key management: Key management is hard, and we still haven't given
users a good way to participate meaningfully in it. Can we help them
build better mental models for secure authentication?

Can we use WebRTC as an occasion for thinking about what a robust and
user-accessible Web Security Model would look like, and what new
components we'd need to build for it?


Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel
and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

This message and any attachments are intended solely for the addressees
and may contain confidential information. Any unauthorized use or
disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable
for the message if altered, changed or falsified. If you are not the
intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission
free from viruses, the sender will not be liable for damages caused by a
transmitted virus
Received on Monday, 28 April 2014 20:47:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:21 UTC