Re: Call for adoption - use case for "Trusted application, untrusted intermediary"

On 26/11/2018 19:59, Adam Roach wrote:
> On 11/25/18 4:16 PM, Sergio Garcia Murillo wrote:
>> That the IdP script is trusted, so I don't see any reason why it 
>> can't handle the keys.
>
>
> This doesn't make any sense. There's nothing that prevents the domain 
> hosting the application JavaScript from pointing to its own IdP (or an 
> IdP under its control) using setIdentityProvider() -- which has the 
> exact same security properties of handing the key to itself under your 
> proposal.

No, because the browser will show the domain on the prompt and you will 
know who you do trust. If not IdP would be completely useless.

>
> The IdP is trusted to do one very exact and precise thing. Media key 
> handling is very different than identity assertion.
>
Why? Idp can say: remote peer is "Sergio Garcia" and this is his public 
key so you can send media to him (on top of dtls keys that are exchanged 
normally and not available to the app)

Best regards

Sergio

Received on Tuesday, 27 November 2018 10:27:13 UTC