W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2018

Re: Call for adoption - use case for "Trusted application, untrusted intermediary"

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Tue, 27 Nov 2018 11:30:14 +0100
To: Adam Roach <adam@nostrum.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Nils Ohlmeier <nohlmeier@mozilla.com>, public-webrtc@w3.org
Message-ID: <3b2054f8-e977-e613-c8d5-1d2d025dc282@gmail.com>
On 26/11/2018 19:59, Adam Roach wrote:
> On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote:
>> That the IdP script is trusted, so I don't see any reason why it 
>> can't handle the keys.
> This doesn't make any sense. There's nothing that prevents the domain 
> hosting the application JavaScript from pointing to its own IdP (or an 
> IdP under its control) using setIdentityProvider() -- which has the 
> exact same security properties of handing the key to itself under your 
> proposal.

No, because the browser will show the domain on the prompt and you will 
know who you do trust. If not IdP would be completely useless.

> The IdP is trusted to do one very exact and precise thing. Media key 
> handling is very different than identity assertion.
Why? Idp can say: remote peer is "Sergio Garcia" and this is his public 
key so you can send media to him (on top of dtls keys that are exchanged 
normally and not available to the browser)

Best regards

Received on Tuesday, 27 November 2018 10:26:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC