- From: henbos via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Jun 2019 13:38:45 +0000
- To: public-webrtc-logs@w3.org
> [BA] This material relates to security. Does it belong in the security considerations section? This is a new subsection of Privacy and Security Considerations. > How the signaling protocol (SDP) is exchanged is unspecified and up to > the application. > > [BA] This sentence could be deleted. Done. > [BA] Suggest deleting "The users of these APIs should note that the SDP content is sensitive; ". Done. > [BA] delete "amounts of" Done. > [BA] Not sure what the one-way media threat is here. Is this a concern about a "voice-hammer" attack? > Suggest a clarification, such as > "unknowngly support one-way media" -> "unintentionally allowing incoming media" The concern is if the application expects a certain outcome. For example, if it listens to "ontrack" to update the UI to show that the call is active as part of attaching the remote track to a video tag, but "ontrack" never fires because the answer is recvonly instead of sendrecv. But I like "unintentionally allowing incoming media". I changed it to: _An application that does not guard against malicious SDP could be at risk of resource deprivation, unintentionally allowing incoming media or not have certain events fire like <code>ontrack</code> if the other endpoint does not negotiate sending._ > [BA] "ensure the authenticity" would seem to be covered by signaling over a secure channel, no? The issue seems to be malevolent (albeit authentic) SDP. Maybe: > "Applications need to be on guard against malevolent SDP." Done. -- GitHub Notification of comment by henbos Please view or discuss this issue at https://github.com/w3c/webrtc-pc/pull/2201#issuecomment-501706667 using your GitHub account
Received on Thursday, 13 June 2019 13:38:46 UTC