LGTM2 On Tue, Aug 31, 2021 at 5:18 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> Thanks for verifying! > > Given that this was never supported by other browsers, LGTM1 to remove > > On Tue, Aug 31, 2021 at 11:31 AM Harald Alvestrand <h...@google.com> wrote: > >> I have now verified that neither Safari nor Firefox ever shipped SDES. >> >> Given Yoav's comments about throwing versus erroring upstream, I'm going >> to propose going with the "just ignore the dictionary member once it's >> gone" approach. >> >> >> On Fri, Aug 27, 2021 at 8:22 AM Yoav Weiss <yoavwe...@chromium.org> >> wrote: >> >>> >>> >>> On Fri, Aug 27, 2021 at 7:31 AM Philipp Hancke < >>> philipp.han...@googlemail.com> wrote: >>> >>>> Am Do., 26. Aug. 2021 um 22:47 Uhr schrieb Harald Alvestrand < >>>> h...@google.com>: >>>> >>>>> >>>>> >>>>> On Thu, Aug 26, 2021 at 9:29 PM Yoav Weiss <yoavwe...@chromium.org> >>>>> wrote: >>>>> >>>>>> A few questions raised at the API OWNERS meeting today. >>>>>> >>>>>> On Thursday, August 26, 2021 at 1:34:11 PM UTC+2 Harald Alvestrand >>>>>> wrote: >>>>>> >>>>>>> On Thu, Aug 26, 2021 at 1:10 PM Yoav Weiss <yoavwe...@chromium.org> >>>>>>> wrote: >>>>>>> >>>>>>>> What would breakage look like? >>>>>>>> >>>>>>> >>>>>>> Once the feature is gone (the end state), anyone attempting to set >>>>>>> up a connection using SDES will have their session rejected. >>>>>>> Anyone attempting to set the constraint will just have it ignored, >>>>>>> like any other unsupported value in a dictionary. >>>>>>> >>>>>> >>>>>> OK. Any enterprise risk here? Are you aware of any enterprise apps >>>>>> using this? >>>>>> >>>>> >>>>> I doubt it. There is no real reason for using it; DTLS is safer and >>>>> simpler to configure. >>>>> >>>> >>>> I bet there are some callcenters using it on the agent side and being >>>> callcenters, they won't report metrics. >>>> The list of vendors is known though. As is the IETF 2013 consensus that >>>> this is a MUST NOT. >>>> >>> >>> Are there vendors still selling such software nowadays? >>> >>> >>>> >>>> >>>>> >>>>>> >>>>>>> >>>>>>> I'm thinking that we should add an intermediate step where anyone >>>>>>> attempting to configure SDES has the constructor throw rather than >>>>>>> ignoring >>>>>>> the member. >>>>>>> >>>>>> >>>>>> An unhandled exception seems more risky than a silent failure here, >>>>>> right? >>>>>> Any reason to think console warnings won't be enough? >>>>>> >>>>> >>>>> The connection won't go through anyway unless both ends of the >>>>> connection upgrade at the same time; throwing is a failure that is more >>>>> obvious. >>>>> When things fail, I like to have them fail for obvious reasons. >>>>> >>>> >>>> The existing behaviour of throwing in setRemoteDescription when >>>> receiving an SDES-only offer seems good (and works in both Chrome and >>>> Firefox). >>>> The error code might need some work, it differs between Chrome and >>>> Firefox. >>>> >>>> We have some test coverage for this: >>>> >>>> https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/fast/peerconnection/RTCPeerConnection-sdes-constraint.html;l=11;drc=09074552ce314b5d942d960ceaa90599671ee137 >>>> I'll add a negative assertion as a WPT. Why ask when you can write a >>>> test :-) >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> What's the requested timeline for the deprecation part of this? >>>>>>>> >>>>>>> >>>>>>> I'd like to get the deprecation warning in 95 (stable Oct 19), start >>>>>>> throwing in 97 (stable Jan 4), and removing the code entirely in 99 >>>>>>> (stable >>>>>>> Mar 1). >>>>>>> >>>>>>> >>>>>>>> Any plans for targeted outreach for the remaining users? >>>>>>>> >>>>>>> >>>>>>> Only the usual PSA on webrtc-users and discuss-webrtc + word of >>>>>>> mouth. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Thu, Aug 26, 2021 at 11:05 AM 'Philipp Hancke' via blink-dev < >>>>>>>> blink-dev@chromium.org> wrote: >>>>>>>> >>>>>>>>> stats here: >>>>>>>>> https://www.chromestatus.com/metrics/feature/timeline/popularity/2383 >>>>>>>>> >>>>>>>> >>>>>>>> Impressive decline in usage! >>>>>>>> >>>>>>>> >>>>>>>>> Away with it! >>>>>>>>> >>>>>>>>> Am Do., 26. Aug. 2021 um 10:45 Uhr schrieb 'Harald Alvestrand' via >>>>>>>>> blink-dev <blink-dev@chromium.org>: >>>>>>>>> >>>>>>>>>> Contact emails...@chromium.org >>>>>>>>>> >>>>>>>>>> ExplainerNone >>>>>>>>>> >>>>>>>>>> Specificationhttps://www.rfc-editor.org/rfc/rfc8826#section-4.3.1 >>>>>>>>>> >>>>>>>>>> Summary >>>>>>>>>> >>>>>>>>>> The SDES key exchange mechanism for WebRTC has been declared a >>>>>>>>>> MUST NOT in the relevant IETF standards since 2013. The SDES >>>>>>>>>> specification >>>>>>>>>> has been declared Historic by the IETF. Its usage in Chrome has >>>>>>>>>> declined >>>>>>>>>> significantly over the recent year. This intent is to deprecate and >>>>>>>>>> remove >>>>>>>>>> this code from Chromium and WebRTC. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Blink componentBlink>WebRTC>Network >>>>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebRTC%3ENetwork> >>>>>>>>>> >>>>>>>>>> Motivation >>>>>>>>>> >>>>>>>>>> The reason why SDES is deprecated is that it is a security >>>>>>>>>> problem: It exposes session keys to Javascript, which means that >>>>>>>>>> entities >>>>>>>>>> with access to the negotiation exchange, or with the ability to >>>>>>>>>> subvert the >>>>>>>>>> Javascript, can decrypt the media sent over the connection. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Initial public proposal >>>>>>>>>> >>>>>>>>>> TAG review >>>>>>>>>> >>>>>>>>>> TAG review statusNot applicable >>>>>>>>>> >>>>>>>>>> Risks >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Interoperability and Compatibility >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Gecko: No signal >>>>>>>>>> >>>>>>>>>> WebKit: No signal >>>>>>>>>> >>>>>>>>> >>>>>>>> Filing for signals may be an overkill here, but are there bugs >>>>>>>> filed on other implementers asking them to follow? >>>>>>>> >>>>>>> >>>>>> Is SDES shipped in other browsers? What's the status there? >>>>>> >>>>> >>>>> I believe that neither Firefox nor WebKit ever shipped SDES, but I put >>>>> "no signal" because I haven't checked. >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>>> Web developers: No signals >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Debuggability >>>>>>>>>> >>>>>>>>>> When this feature is removed, people attempting to set up such a >>>>>>>>>> connection will fail to do so. This should be easy to diagnose. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>>>>>>> ?No >>>>>>>>>> >>>>>>>>>> Flag name >>>>>>>>>> >>>>>>>>>> Requires code in //chrome?False >>>>>>>>>> >>>>>>>>>> Tracking bughttps://crbug.com/webrtc/11066 >>>>>>>>>> >>>>>>>>>> Estimated milestones >>>>>>>>>> >>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>> https://www.chromestatus.com/feature/5695324321480704 >>>>>>>>>> >>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>> <https://www.chromestatus.com/>. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFNbzG24kGbRFT1sMAroU4ifwv%2BpkA0kU2vkmpHFSgDrQ%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVFNbzG24kGbRFT1sMAroU4ifwv%2BpkA0kU2vkmpHFSgDrQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "blink-dev" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKiJrgemVNeyGP5bw%3Dp40%2Bwc6Zbxi3q-CRWpqV%2BpU%3Dk8%2BgQ%40mail.gmail.com >>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKiJrgemVNeyGP5bw%3Dp40%2Bwc6Zbxi3q-CRWpqV%2BpU%3Dk8%2BgQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU5SOqsi%3DRLqU5UJYW-%2Bq3mRZ3-%2Bt5Bkx9_iPCebyMPCg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU5SOqsi%3DRLqU5UJYW-%2Bq3mRZ3-%2Bt5Bkx9_iPCebyMPCg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_-nv9RqP4p-3RgJvdUMJDmFsE02LKtgkMuau1qqSEyhA%40mail.gmail.com.
