W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2018

Re: Call for adoption - use case for "Trusted application, untrusted intermediary"

From: Adam Roach <adam@nostrum.com>
Date: Mon, 26 Nov 2018 12:59:14 -0600
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Nils Ohlmeier <nohlmeier@mozilla.com>, public-webrtc@w3.org
Message-ID: <c8b2f4d1-cd04-2aeb-eee9-4a539c25cb82@nostrum.com>
On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote:
> That the IdP script is trusted, so I don't see any reason why it can't 
> handle the keys.

This doesn't make any sense. There's nothing that prevents the domain 
hosting the application JavaScript from pointing to its own IdP (or an 
IdP under its control) using setIdentityProvider() -- which has the 
exact same security properties of handing the key to itself under your 

The IdP is trusted to do one very exact and precise thing. Media key 
handling is very different than identity assertion.

Received on Monday, 26 November 2018 18:59:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC