On 26/11/2018 19:59, Adam Roach wrote: > On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote: >> That the IdP script is trusted, so I don't see any reason why it >> can't handle the keys. > > > This doesn't make any sense. There's nothing that prevents the domain > hosting the application JavaScript from pointing to its own IdP (or an > IdP under its control) using setIdentityProvider() -- which has the > exact same security properties of handing the key to itself under your > proposal. No, because the browser will show the domain on the prompt and you will know who you do trust. If not IdP would be completely useless. > > The IdP is trusted to do one very exact and precise thing. Media key > handling is very different than identity assertion. > Why? Idp can say: remote peer is "Sergio Garcia" and this is his public key so you can send media to him (on top of dtls keys that are exchanged normally and not available to the browser) Best regards SergioReceived on Tuesday, 27 November 2018 10:26:59 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:45 UTC