W3C home > Mailing lists > Public > public-webrtc@w3.org > May 2016

STIR Passport objects in WebRTC Indentity

From: Cullen Jennings (fluffy) <fluffy@cisco.com>
Date: Mon, 9 May 2016 21:20:27 +0000
To: public-webrtc <public-webrtc@w3.org>
Message-ID: <77AC8A47-0DA2-4229-8AB5-C51DCAFB553D@cisco.com>

I've been looking at how WebRTC Identity and STIR work together and put together a worked out example at 


WebRTC is very flexible about supporting lots of different identity assertion. The STIR WG has been developing an identity asserted called passport (nothing to do with MS passport). One thing that comes up when using them with WebRTC is in the call to pc.setIdentityProvider. It would be really nice to have an optional parameter to the pc.setIdentityProvider that could provide the list of destination addresses. 

For many identity services, having the ability to include the destination user in the assertion improves security because it eliminates some of the sort of cut and paste attacks where an attacker takes a session from Alice to Bob, and instead sends it to Charlie or a even a huge number of other people. If the destination (bob) is not included in assertion, there is no way for Charlie to know that Alice meant to call Bob and got redirected to Charlie before Charlie forms the connection. 

To support identity services that want to include the destination, I think we should extend the pc.setIdentityProvider API to include an optional destinationHint that is very similar to existing usernameHint. Having that would improve WebRTC working with STIR identity and would also help other identity systems. 
Received on Monday, 9 May 2016 21:20:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:48 UTC