Re: RTCIceServer and username from Jan-Ivar Bruaroey on 2014-01-08 (public-webrtc@w3.org from January 2014)

From: Jan-Ivar Bruaroey <jib@mozilla.com>
Date: Wed, 08 Jan 2014 14:38:11 -0500
To: Harald Alvestrand <harald@alvestrand.no>, public-webrtc@w3.org
Message-ID: <52CDA923.7050009@mozilla.com>

On 1/6/14 4:55 PM, Harald Alvestrand wrote:
> On 01/06/2014 05:06 PM, Eric Rescorla wrote:
>> http://dev.w3.org/2011/webrtc/editor/webrtc.html#dictionary-rtcconfiguration-members 
>>
>> has:
>>
>> dictionary RTCIceServer {
>>      (DOMString or sequence<DOMString>) urls;
>>      DOMString?                         username = null;
>>      DOMString?                         credential;
>> };
>>
>> AFAICT, username isn't really optional for TURN servers (RFC 5766 says):
>>
>>     [RFC5389] specifies an authentication mechanism called the long-term
>>     credential mechanism.  TURN servers and clients MUST implement this
>>     mechanism.  The server MUST demand that all requests from the client
>>     be authenticated using this mechanism, or that a equally strong or
>>     stronger mechanism for client authentication is used.
>>
>> (and username and credential should have the same status in any case).
>>
>> I suspect we either need two classes (one for TURN and one for STUN)
>> or explanatory text saying that you need to provide this for TURN.
>
> Explanatory text seems like the right path to me. Since it contains 
> URLs, the syntax doesn't constrain it to be TURN or STUN, and the 
> quoted text does seem to make it possible that there will be other 
> ways to do this authentication.

+1. A separate class wouldn't do any good because dictionary members are 
inherently optional.

I think the prose should say UAs MUST check and throw for TURN.

While we're looking at this...

Having username and credential be nullable (i.e. explicitly supporting 
the passing-in of the value null) seems unnecessary and a mistake. Is it 
too late to tighten this up as follows?

dictionary RTCIceServer {
     (DOMString or sequence<DOMString>) urls;
     DOMString                          username;
     DOMString                          credential;
};

If that looks wrong, consider it really being like this:

dictionary RTCIceServer {
     optional (DOMString or sequence<DOMString>) urls;
     optional DOMString                          username;
     optional DOMString                          credential;
};


Which is what it essentially is (optional is inherent in dictionary 
members).

A common confusion in webidl is between:

Optional (the keyword 'optional' or anything in a dictionary): The 
ability to omit.
Nullable (the '?' operator): Adds null to the values acceptable to pass 
in or hold.
Default (the '=' operator, valid only with optional): in practice 
removes implementer burden/ability to check whether something was passed in.

.: Jan-Ivar :.

Received on Wednesday, 8 January 2014 19:38:41 UTC