Re: Call for adoption - use case for "Trusted application, untrusted intermediary"

On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote:
> That the IdP script is trusted, so I don't see any reason why it can't 
> handle the keys.

This doesn't make any sense. There's nothing that prevents the domain 
hosting the application JavaScript from pointing to its own IdP (or an 
IdP under its control) using setIdentityProvider() -- which has the 
exact same security properties of handing the key to itself under your 

The IdP is trusted to do one very exact and precise thing. Media key 
handling is very different than identity assertion.


Received on Monday, 26 November 2018 18:59:50 UTC