- From: Martin Thomson via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Nov 2019 02:56:35 +0000
- To: public-webrtc-logs@w3.org
For 1., the goal is to make the object serializable for the purposes of passivation, but not for reuse by other origins. This matches what you surmised already. Passing the certificate is harmless and could be useful for informational purposes if the intent was to access the DER (or a fingerprint, which is an actual method that we currently support). It's use of the certificate for authentication that is problematic in the sense that we aren't comfortable with the idea of the same credential being used across origins. I'm not aware of a concrete security issue that cross-origin use of this credential might create, but caution suggests that we apply the constraint. So for 2., whether the constraint manifests as failure during messaging or failure when an origin attempts to use the object isn't that important in this case. The informational uses for passing `RTCCertificate` can be achieved by accessing the necessary functions and passing the resulting data. In conclusion, I don't see why we couldn't replace the check in SS4.4.1.1s4.2 with a reliance on the proposed mechanism. We still need the expiration check though. -- GitHub Notification of comment by martinthomson Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/2343#issuecomment-549211060 using your GitHub account
Received on Monday, 4 November 2019 02:56:36 UTC