W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > June 2018

Re: [webrtc-pc] Specifying third party IdP for validating assertion

From: Martin Thomson via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Jun 2018 06:25:29 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-398288188-1529389528-sysbot+gh@w3.org>
This is correct, but I'm not seeing an issue here.  Yes, one origin can produce an assertion that is validated by a different origin.  Yes, the browser that is used to produce an assertion doesn't validate that assertion (it's not the relying party).

This might sound like a problem, but it isn't.  You can read about why if you dig into SIGMA, and draft-ietf-mmusic-sdp-uks contains a more direct description of the problems that arise from this (and defenses you need).

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-398288188 using your GitHub account
Received on Tuesday, 19 June 2018 06:26:11 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:44 UTC