Worth mentioning that as I pointed out during my presentation in TPAC these APIs could be generic APIs to process/transforms encoded frames, and it is up to the application to write their own transformation including encryption. Emad On Tue, Nov 27, 2018 at 2:28 AM Sergio Garcia Murillo < sergio.garcia.murillo@gmail.com> wrote: > On 26/11/2018 19:59, Adam Roach wrote: > > On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote: > >> That the IdP script is trusted, so I don't see any reason why it > >> can't handle the keys. > > > > > > This doesn't make any sense. There's nothing that prevents the domain > > hosting the application JavaScript from pointing to its own IdP (or an > > IdP under its control) using setIdentityProvider() -- which has the > > exact same security properties of handing the key to itself under your > > proposal. > > No, because the browser will show the domain on the prompt and you will > know who you do trust. If not IdP would be completely useless. > > > > > The IdP is trusted to do one very exact and precise thing. Media key > > handling is very different than identity assertion. > > > Why? Idp can say: remote peer is "Sergio Garcia" and this is his public > key so you can send media to him (on top of dtls keys that are exchanged > normally and not available to the app) > > Best regards > > Sergio > > > >
Received on Tuesday, 27 November 2018 19:04:53 UTC