- From: Adam Roach <adam@nostrum.com>
- Date: Sun, 6 Sep 2015 12:27:19 -0500
- To: public-webrtc@w3.org
On 9/6/15 11:52 AM, Harald Alvestrand wrote: > What would you recommend as the best explanation of what the "identity" > asserted by an ephemeral cert "means"? For the "stable identity" situation Martin mentions, it's functionally equivalent to the certs used by SSH. > I had a discussion with a colleague the other day about this - as far as > I can tell, an ephemeral cert signed by no trusted party can be used for > reassurance that the signalling channel and the media channel have > either not been MITMed or that they have both been MITMed by the same > attacker. For an unsigned, one-time-use (or first-time-use) cert, that's my understanding. This is why the identity portion of the spec is so important, both for being complete and well-defined in the 1.0 spec, and for being implemented in WebRTC-supporting browsers. /a
Received on Sunday, 6 September 2015 17:27:44 UTC