--- 1/draft-ietf-rtcweb-security-05.txt	2014-01-21 01:14:32.467533961 -0800
+++ 2/draft-ietf-rtcweb-security-06.txt	2014-01-21 01:14:32.519535276 -0800
@@ -1,66 +1,55 @@
 
 RTC-Web                                                      E. Rescorla
 Internet-Draft                                                RTFM, Inc.
-Intended status:  Standards Track                          July 15, 2013
-Expires:  January 16, 2014
+Intended status:  Standards Track                       January 22, 2014
+Expires:  July 26, 2014
 
                    Security Considerations for WebRTC
-                     draft-ietf-rtcweb-security-05
+                     draft-ietf-rtcweb-security-06
 
 Abstract
 
    The Real-Time Communications on the Web (RTCWEB) working group is
    tasked with standardizing protocols for real-time communications
    between Web browsers, generally called "WebRTC".  The major use cases
    for WebRTC technology are real-time audio and/or video calls, Web
    conferencing, and direct data transfer.  Unlike most conventional
    real-time systems (e.g., SIP-based soft phones) WebRTC communications
    are directly controlled by a Web server, which poses new security
    challenges.  For instance, a Web browser might expose a JavaScript
    API which allows a server to place a video call.  Unrestricted access
    to such an API would allow any site which a user visited to "bug" a
    user's computer, capturing any activity which passed in front of
    their camera.  This document defines the WebRTC threat model and
    analyzes the security threats of WebRTC in that model.
 
-Legal
-
-   THIS DOCUMENT AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON
-   AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
-   IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE, DISCLAIM ALL
-   WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
-   WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE
-   ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
-   FOR A PARTICULAR PURPOSE.
-
 Status of this Memo
 
    This Internet-Draft is submitted in full conformance with the
    provisions of BCP 78 and BCP 79.
 
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on January 16, 2014.
+   This Internet-Draft will expire on July 26, 2014.
 
 Copyright Notice
 
-   Copyright (c) 2013 IETF Trust and the persons identified as the
+   Copyright (c) 2014 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
    carefully, as they describe your rights and restrictions with respect
    to this document.  Code Components extracted from this document must
    include Simplified BSD License text as described in Section 4.e of
    the Trust Legal Provisions and are provided without warranty as
@@ -371,21 +360,21 @@
    be shared rather than having the user propose it.
 
    A less obvious threat involves the impact of screen sharing on the
    Web security model.  A key part of the Same Origin Policy is that
    HTML or JS from site A can reference content from site B and cause
    the browser to load it, but (unless explicitly permitted) cannot see
    the result.  However, if a web application from a site is screen
    sharing the browser, then this violates that invariant, with serious
    security consequences.  For example, an attacker site might request
    screen sharing and then briefly open up a new Window to the user's
-   bank or Gmail account, using screen sharing to read the resulting
+   bank or webmail account, using screen sharing to read the resulting
    displayed content.  A more sophisticated attack would be open up a
    source view window to a site and use the screen sharing result to
    view anti cross-site request forgery tokens.
 
    These threats suggest that screen/application sharing might need a
    higher level of user consent than access to the camera or microphone.
 
 4.1.2.  Calling Scenarios and User Expectations
 
    While a large number of possible calling scenarios are possible, the
@@ -960,51 +949,51 @@
    o  Added a section about "malicious peers".
    o  Added a section describing screen sharing threats.
    o  Assorted editorial changes.
 
 8.  References
 
 8.1.  Normative References
 
    [I-D.ietf-rtcweb-overview]
               Alvestrand, H., "Overview: Real Time Protocols for Brower-
-              based Applications", draft-ietf-rtcweb-overview-06 (work
-              in progress), February 2013.
+              based Applications", draft-ietf-rtcweb-overview-08 (work
+              in progress), September 2013.
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.
 
 8.2.  Informative References
 
    [CORS]     van Kesteren, A., "Cross-Origin Resource Sharing".
 
    [I-D.ietf-avtcore-6222bis]
               Begen, A., Perkins, C., Wing, D., and E. Rescorla,
               "Guidelines for Choosing RTP Control Protocol (RTCP)
               Canonical Names (CNAMEs)", draft-ietf-avtcore-6222bis-06
               (work in progress), July 2013.
 
    [I-D.ietf-rtcweb-security-arch]
-              Rescorla, E., "RTCWEB Security Architecture",
-              draft-ietf-rtcweb-security-arch-06 (work in progress),
-              January 2013.
+              Rescorla, E., "WebRTC Security Architecture",
+              draft-ietf-rtcweb-security-arch-07 (work in progress),
+              July 2013.
 
    [I-D.kaufman-rtcweb-security-ui]
               Kaufman, M., "Client Security User Interface Requirements
               for RTCWEB", draft-kaufman-rtcweb-security-ui-00 (work in
               progress), June 2011.
 
    [I-D.muthu-behave-consent-freshness]
-              Perumal, M., Wing, D., R, R., and H. Kaplan, "STUN Usage
+              Perumal, M., Wing, D., R, R., and T. Reddy, "STUN Usage
               for Consent Freshness",
-              draft-muthu-behave-consent-freshness-03 (work in
-              progress), February 2013.
+              draft-muthu-behave-consent-freshness-04 (work in
+              progress), July 2013.
 
    [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
 
    [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
               A., Peterson, J., Sparks, R., Handley, M., and E.
               Schooler, "SIP: Session Initiation Protocol", RFC 3261,
               June 2002.
 
    [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
               Text on Security Considerations", BCP 72, RFC 3552,