Re: Other work needed ?- was Re: Proposed Charter Changes

Hi Cullen,

Thanks for asking, :-). Please see below for answers.

>
>Hi, regardless of anything to do with charters, I just wanted to learn a
>but more about what you had in mind with the following:

We really do not want to trigger a discussion right now in the WG that
takes focus from finishing 1.0 and then bringing 1.0 and ORTC together-
our interest is merely to ensure work can be done after that has been
secured, say sometime Q1 2016 (hopefully!).

>
>> On May 7, 2015, at 7:29 AM, Göran Eriksson AP
>><goran.ap.eriksson@ericsson.com> wrote:
>> 
>> * harmonization with rest of WebAppSec (and others) about Web platform
>> security evolution
>
>Thoughts on what's needed? I worry that much of the security will be
>largely unchangeable by the time we ship 1.0 so want to check if there is
>anything we need to deal with now. Of course agree harmonization is good,
>just not sure what is needed.

One example is the WebAppSec WG Permission API (getusermedia of course but
as an example). 

> 
>
>> * General User Security and Privacy improvements
>
>Again, I worry that later things will only make the privacy worse not
>better so love to hear what you have in mind.

I could imagine discussing using CSP directive for controlling the ICE
candidates exposure,
perhaps the ICE origin as well. And enforcing stuns, turns perhaps?


> 
>
>> * Delegation use cases (Web app from one origin, part of find and
>> connect, TURN, conference servers from another provider (and origin))
>> for verticals like Financial, E-health and Manufacturing
>
>As long as  TURN credentials are coordinated between the TURN provider
>and web provider (and there is work to improve that as you know), it
>seems to work now to get TURN servers from one provider, conferencing
>servers from another, and build the website on yet another origin, and
>the rendezvous servers could be via another service.  For example, I've
>seen apps with PubHub for rendezvous, Tropo for media server, and
>webserver off Heroku. Something more needed?

It is not that it does not work, itıs if it can be made more secure.

In the case of delegation, often a JSL comes along to manage the
peerConnection. This is something one would like to isolate from the rest
of the web app from the origin. Our first webkit contribution many years
ago for this purpose was the sandbox flag on the iFrame. Not iFrame is not
the way to go nowadays apparently, but the basic idea of isolating a JSL
from other origins is still one worthwhile exploring we think.

I should mention that much of this may not be about specifications but
perhaps Best practice or something similar.

But again, we really do not wish to have this discussion on the list
taking focus from the work lying ahead; finishing 1.0 and bringing ORTC
and webRTC 1.0 together. Itıs about the charter and opening up for new
work after that as been done. Perhaps something for a WebRTC session at
TPAC?

Be well!
Göran


>
>

Received on Tuesday, 12 May 2015 19:00:53 UTC