[AVT] RE: Comments on draft-ietf-avt-rtp-vc1-02

["Anders Klemets" <Anders.Klemets at microsoft.com>]

>>>T1. Will it be possible to carry any type of active content (like 
>>>scripts or Java code) in the VC-1 user data? If that is the case
there
>>
>Yes, sorry, I meant RFC 3640 that contains such paragraphs in its 
>security consideration section.

I can understand that RFC 3640 needs to discuss security, because
MPEG-J, BIFS, etc., are part of the MPEG-4 spec itself.  The VC-1
user-data, on the other hand, is registered separately by SMPTE.  

VC-1 user-data is actually identical to the MPEG-2 user-data.  And RFC
2250 (MPEG-2 RTP Payload Format) doesn't mention user-data as a security
risk.

In my opinion, putting a warning about user-data is a little bit like
putting a warning against downloading binaries in the HTTP spec, or
putting a warning about telemarketer scams in the SIP spec. :-)

Nevertheless, I have written the following paragraph, to be added to the
VC-1 security considerations section:

"VC-1 bit streams can carry user-data, such as closed captioning
information and content meta-data.  VC-1 requires identifiers for
user-data to be registered with SMPTE.  Depending on the type of
user-data, it might be possible for a sender to generate user-data in a
non-compliant manner to crash the receiver or make it temporarily
unavailable.  Senders that transport VC-1 bit streams SHOULD ensure that
the user-data is compliant with the specification registered with SMPTE
(see Annex F of [1].)  Receivers should prevent malfunction in case of
non-compliant user-data."

Does it look OK?

Anders


_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt