- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 16 Jan 2018 09:45:46 +1100
- To: Roman Shpount <roman@telurix.com>
- Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, IƱaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Cullen Jennings <fluffy@iii.ca>
On Tue, Jan 16, 2018 at 5:18 AM, Roman Shpount <roman@telurix.com> wrote: > I agree identity happen too late in the process. What is needed here is > ability to cryptographically sign ICE candidates, TURN and STUN servers. > Signing with certificate of some well known domain listed in CSP seems like > a good option. This, of cause, will require API extensions to provide these > signatures. Actually, it doesn't need changes, just a shift in what the browser provides to the IdP. The main cost is in latency. At some point it is necessary to go back to a server and adding that for trickle ICE would hurt. Also, the marginal gain is tiny. We're talking about CSP, which is belt-and-braces defense against script issues, it's not bulletproofing for the entire negotiation.
Received on Monday, 15 January 2018 22:46:08 UTC