- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Sat, 25 Jun 2022 08:47:05 +0000
- To: public-webrtc-logs@w3.org
> From the point of view of the recipient of a cropTarget (e.g. a video conference app), I claim it is much easier to be sure that it is genuinely from where it appears to be than a UUID string that may have been passed through several layers of servers. No amount of improvement of the rules on creation of the CropTarget UUID makes any difference to proof of provenance. 1. Assume you got CropTarget/UUID and you're not sure of its origins. So what? Don't use it! 2. Suppose you've used it. So what? What are the ramifications? You've mis-cropped? There's a simple solution - stop applying CropTargets you receive from untrusted sources. > It doesn't need to actually apply the UUIDs in a live capture, it still gets usage data. I believe I have fully addressed that concern in [this message](https://github.com/w3c/mediacapture-region/issues/46#issuecomment-1165788089), which explains how we could make tracking impossible, by observing two simple precautions. If you don't think this adequately blocks the "VC-tracker" attack, please demonstrate how the precautions could be circumvented. > The existence of cropTargets as UUIDs enables this risk in a way that an opaque token prevents. This has not been demonstrated. Please read my rebuttal. -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-region/issues/46#issuecomment-1166230659 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 25 June 2022 08:47:07 UTC