W3C home > Mailing lists > Public > public-webrtc@w3.org > August 2016

[webrtc-pc] Merged Pull Request: The IdP environment can be spoofed

From: Harald Alvestrand via GitHub <sysbot+gh@w3.org>
Date: Thu, 11 Aug 2016 14:13:35 +0000
To: public-webrtc@w3.org
Message-ID: <pull_request.closed-75256729-1470924813-sysbot+gh@w3.org>
martinthomson has just merged pull request 719 for 
https://github.com/w3c/webrtc-pc:

== The IdP environment can be spoofed ==
This isn't a problem for validating assertions, presumably an
attacker would have an easier time asking RTCPeerConnection to
unpack an assertion if they wanted to learn the identity it
contains.

However, for generating an assertion it is important.  An IdP
therefore needs to draw on information that only it knows if it
is going to avoid being spoofed.  For any real IdP, that is
probably going to be automatic: they will look at what they have
stored (which is specific to their origin), or make requests
to servers.  Those requests to servers won't allow cross-origin
access unless something is seriously wrong.

Closes #253.

See https://github.com/w3c/webrtc-pc/pull/719
Received on Thursday, 11 August 2016 14:13:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:49 UTC