W3C home > Mailing lists > Public > public-webrtc@w3.org > July 2017

[webrtc-pc] Specifying third party IdP for validating assertion

From: Soares Chen via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jul 2017 09:38:16 +0000
To: public-webrtc@w3.org
Message-ID: <issues.opened-245023873-1500889094-sysbot+gh@w3.org>
soareschen has just created a new issue for https://github.com/w3c/webrtc-pc:

== Specifying third party IdP for validating assertion ==
If my understanding is correct, `setIdentityProvider()` is used to set IdP proxy only for local peer identity. `setIdentityProvider()` can be set to any host and generate identity assertion for any domain, because the assertion is an opaque string and `RTCPeerConnection` does not care about local peer identity.

For remote peer identity, the `domain` and `protocol` fields are used to construct the well-known URL for the IdP proxy. And if the IdP proxy returns `RTCIdentityValidationResult` with identity belonging to different domain, it would result in error. But rtcweb-security-arch also mention about validating the identity against third party domain:

> 5.7.1.  Identity Formats
> 2.  If the domain portion of the string is not equal to the domain name of the IdP proxy, then the PeerConnection object MUST reject the assertion unless:
> 1.  the IdP domain is trusted as an acceptable third-party IdP; and
> 2.  local policy is configured to trust this IdP domain for the domain portion of the identity string.

So would there be any case in WebRTC that an IdP trusted as an acceptable third-party IdP that can produce `RTCIdentityValidationResult` for identities of different domains?

Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506 using your GitHub account
Received on Monday, 24 July 2017 09:38:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:51 UTC