Re: Request to Add "username" property to RTCIceServer Object from Harald Alvestrand on 2013-03-16 (public-webrtc@w3.org from March 2013)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Sat, 16 Mar 2013 07:45:05 +0100
To: Justin Uberti <juberti@google.com>
CC: "Suhas Nandakumar (snandaku)" <snandaku@cisco.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <514414F1.2020402@alvestrand.no>

On 03/16/2013 02:43 AM, Justin Uberti wrote:
> The realm is supplied by the TURN server during the allocation 
> process; if a realm value was specified to the API, I imagine we would 
> have to ignore the TURN server if the realms didn't match. I don't 
> know how valuable that is.

The mechanism here is described in RFC 5389 section 10.2 - the imagined 
usage here is that one has a table of username/passwords in the client 
and uses the realm as a lookup key. When following the proposed API 
pattern, we already know which server we're talking to; offhand, I can't 
think of a realistic case where a single server name would point to 
servers replying with different realms.

The security folks among us will have to say whehter there's an attack 
that I haven't thought of involving the ability to specify realm - if 
not, some document (perhaps the IETF -security-arch document) may need 
to say that it's OK to provision realm by just accepting anything the 
server says, rather than configuring it.

>
>
> On Fri, Mar 15, 2013 at 2:05 PM, Harald Alvestrand 
> <harald@alvestrand.no <mailto:harald@alvestrand.no>> wrote:
>
>     Sounds good to me too.
>
>     While we're at it - do we need to add "realm" (RFC 5766, see
>     especially section 4 paragraph 4)?
>
>
>     On 03/15/2013 06:47 PM, Suhas Nandakumar (snandaku) wrote:
>>     Hi ,
>>
>>       I would like to make a request to add optional "username"
>>     parameter to RTCIceSever  dictionary to enable one to set the
>>     username as part of the configuration.
>>
>>     This change is due to removal of user part from the latest TURN
>>     URI Spec:
>>     http://tools.ietf.org/html/draft-petithuguenin-behave-turn-uris-03 and
>>     hence we need a way to include username outside the uri property
>>     of the RTCIceServer object.
>>
>>     Existing:
>>     dictionary RTCIcseServer {
>>       DOMString  url;
>>       nullable DOMString credential;
>>     }
>>
>>
>>     Proposes Change:
>>     dictionary RTCIcseServer {
>>       DOMString  url;
>>       nullable DOMString username;
>>       nullable DOMString credential;
>>     }
>>
>>     Thanks
>>     Suhas
>
>

Received on Saturday, 16 March 2013 06:45:41 UTC