On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote: > That the IdP script is trusted, so I don't see any reason why it can't > handle the keys. This doesn't make any sense. There's nothing that prevents the domain hosting the application JavaScript from pointing to its own IdP (or an IdP under its control) using setIdentityProvider() -- which has the exact same security properties of handing the key to itself under your proposal. The IdP is trusted to do one very exact and precise thing. Media key handling is very different than identity assertion. /aReceived on Monday, 26 November 2018 18:59:50 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC