Re: [rtcweb] More on authorization and endpoint authentication
Harald Alvestrand <harald@alvestrand.no> Fri, 05 August 2011 06:40 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95A921F8678 for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.576
X-Spam-Level:
X-Spam-Status: No, score=-102.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfOUtLEy-Qa3 for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 190ED21F855A for <rtcweb@ietf.org>; Thu, 4 Aug 2011 23:40:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 7BE1739E113 for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:04 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJKZ7ZYdxFLE for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:03 +0200 (CEST)
Received: from [192.168.1.51] (162.80-203-220.nextgentel.com [80.203.220.162]) by eikenes.alvestrand.no (Postfix) with ESMTPS id E3B0639E0D4 for <rtcweb@ietf.org>; Fri, 5 Aug 2011 08:40:03 +0200 (CEST)
Message-ID: <4E3B908A.1040809@alvestrand.no>
Date: Fri, 05 Aug 2011 08:41:14 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
In-Reply-To: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] More on authorization and endpoint authentication
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2011 06:40:58 -0000
On 08/04/11 18:46, Eric Rescorla wrote: > At a higher level, I think we've been failing to draw the distinction > between two cases which are socially (and arguably technically) very > different: > > 1. The calling service is permitted to place a call but all the > information about who you are actually calling is accessible > only to the JS provided by the calling service. > > 2. The calling service is permitted to place a call but the > browser has independent information about who you are > actually talking to. [and could at least in principle render > it to the user.] I do not like the thought of going down the case #2 road. The reason is that in case 2, the concept of remote identity gets hardwired into the browser, and the API becomes useful only for applications that subscribe to the particular identity model that is hardwired into the browser. In case #1, the API can be used with any (or no) concept of "remote identity", and the JS provider (who has a kind of "identity" by virtue of the Same Origin Policy definition, so it's already wired into the browser) gets to hold the responsibility.
- [rtcweb] More on authorization and endpoint authe… Eric Rescorla
- Re: [rtcweb] More on authorization and endpoint a… Bernard Aboba
- Re: [rtcweb] More on authorization and endpoint a… Harald Alvestrand
- Re: [rtcweb] More on authorization and endpoint a… Eric Rescorla
- Re: [rtcweb] More on authorization and endpoint a… Ted Hardie
- Re: [rtcweb] More on authorization and endpoint a… Igor Faynberg