Hi! Doc Shepherd here ;) > On Feb 12, 2019, at 14:44, Joe Clarke <jclarke@xxxxxxxxx> wrote: > > Reviewer: Joe Clarke > Review result: Not Ready > > I have been assigned to review this document on behalf of the Ops directorate. > In general, I found the document well-written, but the reason I marked it as > not ready as I was confused as to its standards track trajectory. I do not see > any kind of inter-operable standard being defined here. On my reading -- > before I noticed it was standards track -- it felt informational. While it > does set out a threat model for the browser, I struggle to see how that needs > to be standardized. The rationale I provided in the Shepherd write was this: This draft is bound standards track because it includes all of the WebRTC security considerations and will referred to from all WebRTC WG drafts. There are also 8 2119-MUSTs/MUST NOTs is the document that affect browser behavior, which (I think) gets it over the informational level hurdle. > On that threat model note, the abstract indicates that the WebRTC threat model > will be laid out, but section 3 defines a more general browser threat model. It does, but the 1st sentence explains why they are the same. I guess we could rename the section, but it’s just a layer of indirection. > Beyond those items, I noticed various nits and other small items when reading > the document. Most broadly, I feel this document would benefit from a > terminology section to define acronyms such as ICE, TURN, STUN, VoIP, etc. > Additionally, in section 3.1, the document refers to "scripts" in a general > way. While the implication is JavaScript code that will run in a browser, I > think that kind of context setting might be made more explicit in a terminology > section. > > Other nits are mentioned below on a section-by-section basis. I addressed these in the following PR: https://github.com/rtcweb-wg/security/pull/13 > Section 1: > > s/implementated/implemented/ > > === > > Section 3.2: > > s/provide a escape hatch/provide an escape hatch/ > > === > > Section 4.2: > > s/signficant/significant/ > > === > > Section 4.2.3: > > s/ threats is less severe/threats are less severe/ > > === > > Section 4.3: > > s/ The calling service is is/The calling service is/ > > === > > Section 4.3.2.1: > > OLD: > > (a) the browser to trusted UI to provide the name and > > I don't grok this sentence fragment. There seems to be a verb missing, and I'm > not sure what your intent is here. I suggest “the browser has trusted UI …”. if that’s wrong I can amend the PR. > === > > Section 4.3.2.2: > > s/e.g., read aloud over the the voice/e.g., read aloud over the voice/ > > s/However, it it is well-known/However, it is well-known/
