[webrtc-pc] Merged Pull Request: The IdP environment can be spoofed from Harald Alvestrand via GitHub on 2016-08-11 (public-webrtc@w3.org from August 2016)

From: Harald Alvestrand via GitHub <sysbot+gh@w3.org>
Date: Thu, 11 Aug 2016 14:13:35 +0000
To: public-webrtc@w3.org
Message-ID: <pull_request.closed-75256729-1470924813-sysbot+gh@w3.org>

martinthomson has just merged pull request 719 for 
https://github.com/w3c/webrtc-pc:

== The IdP environment can be spoofed ==
This isn't a problem for validating assertions, presumably an
attacker would have an easier time asking RTCPeerConnection to
unpack an assertion if they wanted to learn the identity it
contains.

However, for generating an assertion it is important.  An IdP
therefore needs to draw on information that only it knows if it
is going to avoid being spoofed.  For any real IdP, that is
probably going to be automatic: they will look at what they have
stored (which is specific to their origin), or make requests
to servers.  Those requests to servers won't allow cross-origin
access unless something is seriously wrong.

Closes #253.

See https://github.com/w3c/webrtc-pc/pull/719

Received on Thursday, 11 August 2016 14:13:42 UTC