Re: [webrtc-pc] Specifying third party IdP for validating assertion from Martin Thomson via GitHub on 2018-06-19 (public-webrtc-logs@w3.org from June 2018)

From: Martin Thomson via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Jun 2018 06:25:29 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-398288188-1529389528-sysbot+gh@w3.org>

This is correct, but I'm not seeing an issue here.  Yes, one origin can produce an assertion that is validated by a different origin.  Yes, the browser that is used to produce an assertion doesn't validate that assertion (it's not the relying party).

This might sound like a problem, but it isn't.  You can read about why if you dig into SIGMA, and draft-ietf-mmusic-sdp-uks contains a more direct description of the problems that arise from this (and defenses you need).

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-398288188 using your GitHub account

Received on Tuesday, 19 June 2018 06:26:11 UTC