W3C home > Mailing lists > Public > public-html-media@w3.org > October 2013

Re: ACTION-40: Propose text for bug 17202 to propose how to share keys without leakage of information

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 28 Oct 2013 10:13:18 -0700
Message-ID: <CAEnTvdD1NLzmrcB10czO78PYFQ4v+X4ph3VVdpmRAzKh69DinA@mail.gmail.com>
To: Joe Steele <steele@adobe.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
Hi Joe,

Why does the application need to be involved ? If two sites are
"CORS-same-origin" the UA knows this and between the UA and the CDM can't
they just make the keys of one origin available to the other without
involving the application ?


On Mon, Oct 28, 2013 at 9:57 AM, Joe Steele <steele@adobe.com> wrote:

> *I have a rough proposal here, please comment/critique ASAP.*
> In order to share keys between two sites, there are two concerns.
> The first is how to ensure that an untrusted site does not get access to a
> key which is used by another site. The concern here is that the ability to
> detect the existence of keys for a particular site is information leakage,
> and even without an explicit API the lack of a key request would allow
> detection.
> The second is that when two sites trust each other and *could* share keys,
> it is not clear how sites would discover those shared keys. One method
> would be allowing for generally shared information between sites at the CDM
> layer, but this could again lead to information leakage given that CDMs may
> communicate in an opaque manner.
> I propose that the browser uses CORS Access-Control-Allow-Origin headers
> for the sites to determine the trust relationships between them. The
> browser can then provide a list of active session ids for sites trusting
> the current site with the *needkey* message when encountering encrypted
> content. The application can this pass this information down to the CDM
> which can then use those keys when appropriate. This will result in no
> information leakage, since the sites are in control of the trust
> relationship and the trust relationship is visible to the end user by
> virtue of being detailed in the CORS headers.
> This has a few implications:
> * The CDM must be creating the session ID if it wants to support this
> * The browser must keep track of session IDs in relation to CORS trust
> relationships
> * The *needkey *message needs another parameter - a list of session IDs
> which may be empty
> * The *createSession* method needs another parameter - a list of session
> IDs which may be empty
> I would like feedback from browser vendors on how difficult this is to
> implement. The clear benefit is client performance and battery life. The
> decreased network traffic is negligible.
> Joe Steele
> steele@adobe.com
Received on Monday, 28 October 2013 17:13:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:48:41 UTC