Re: [webrtc-pc] Allow to import existing certificate

I had to glance through the IETF draft to understand that... this is because only the fingerprints are included in the identity assertion, right? Now the RTCWeb mailing list makes more sense to me, too. And I would be in favour of the idea to bind the assertion to the session and the cert (instead of only the latter).

Let's put the IdP issue aside for a moment. The site would have access to the private key, correct. Is there a problem with that (other than malicious third party scripts)?

-- 
GitHub Notification of comment by lgrahl
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1853#issuecomment-385668495 using your GitHub account

Received on Tuesday, 1 May 2018 13:17:52 UTC