Re: [rtcweb] usability of IdP concepts in draft-ietf-rtcweb-security-arch-07

Wolfgang Beck <wolfgang.beck01@googlemail.com> Wed, 06 November 2013 02:01 UTC

Return-Path: <wolfgang.beck01@googlemail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 367F221F96CA for <rtcweb@ietfa.amsl.com>; Tue, 5 Nov 2013 18:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.069
X-Spam-Level:
X-Spam-Status: No, score=-1.069 tagged_above=-999 required=5 tests=[AWL=-0.758, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avSQOnBqHGlk for <rtcweb@ietfa.amsl.com>; Tue, 5 Nov 2013 18:01:03 -0800 (PST)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 74B8E11E8163 for <rtcweb@ietf.org>; Tue, 5 Nov 2013 18:00:40 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id ks9so6222333vcb.31 for <rtcweb@ietf.org>; Tue, 05 Nov 2013 18:00:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ix+heFXaVPy3X3g2JvZBaG311lqcTPiOcAyq6UNZ7Lo=; b=PFWlDeIu/ZwUMFn0h3LXqUqBpVFRSbeRi0jENa4Vmq9UvwPLbzAmfcuHwbWHfFk/Pe lSZjTuoEe8FGM3AcCkBfLogFoVgWgLJvSJ8Xvipkl8F4qdQG+5UsY+zmhAxXrlNNRE0Q aeQkjT4F2djWobjgosgLBcBHfEJ21/ELhdNoSOnNq/yIdT3CnMWAGCfyYjHgQ1OrSr+y XaMp9/lPUYFm9s9wrXPf+q6XPLp9Z4v633GqhtsgW+GT9I2zHm2RbPZpBbIOB9Bdt4Pf Y7bngcxVZk4NcIKWRUAoTPMzfaCbLcux9I0T7m1o7wLWtqlIvKS3ux8ViPjyESOUpU29 XeFA==
MIME-Version: 1.0
X-Received: by 10.52.187.138 with SMTP id fs10mr309216vdc.10.1383703208912; Tue, 05 Nov 2013 18:00:08 -0800 (PST)
Received: by 10.58.45.169 with HTTP; Tue, 5 Nov 2013 18:00:08 -0800 (PST)
Received: by 10.58.45.169 with HTTP; Tue, 5 Nov 2013 18:00:08 -0800 (PST)
In-Reply-To: <52799EEB.6030203@viagenie.ca>
References: <CAAJUQMgRqOggVzviMPnvpkwSzYJeEe_1S5K00chdGq-Hghq3Dg@mail.gmail.com> <52795BF0.1020207@makk.es> <CAAJUQMj2_sXtyTf=SugJWA81Ho_+G5WJN4QCfv1Z1FQdZL=Reg@mail.gmail.com> <CABkgnnUJSWz9fqUNSp3+RGyFpHVddXWHq9Y2nMTMUf9n2H798Q@mail.gmail.com> <CAAJUQMjmWsTmvkWDgJeNuocWYAiTerT=P7fMHbXRx6mjfe9DMg@mail.gmail.com> <CABkgnnWv5DkD+hhadhB2juNP+kAzNn2wK895FKVMO_OEohv=MA@mail.gmail.com> <52799EEB.6030203@viagenie.ca>
Date: Wed, 06 Nov 2013 03:00:08 +0100
Message-ID: <CAAJUQMgy5P0rRcNfgLRu_ivXidwoWCgcqXKU27YxA5yQ77gPCw@mail.gmail.com>
From: Wolfgang Beck <wolfgang.beck01@googlemail.com>
To: Simon Perreault <simon.perreault@viagenie.ca>
Content-Type: multipart/alternative; boundary="bcaec548a3853def7104ea7882cd"
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] usability of IdP concepts in draft-ietf-rtcweb-security-arch-07
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 02:01:05 -0000

The draft proposes a solution where the peerconnection object does an idp
exchange of its own. The JS is kept out of the loop. It's not implemented
yet.
Am 05.11.2013 17:45 schrieb "Simon Perreault" <simon.perreault@viagenie.ca>:

> Le 2013-11-05 17:37, Martin Thomson a écrit :
>
>> On 5 November 2013 16:36, Wolfgang Beck <wolfgang.beck01@googlemail.com>
>> wrote:
>>
>>> I'm not convinced. How would you explain to the user why he has to login
>>> --
>>> or select an idp -- twice? Maybe this is more an API/W3C topic.
>>>
>>
>> As I have said a couple of times already, the user should not have to
>> login more than once.  If that were the case, then that would be a
>> problem with the IdP.  The generation of an assertion might require
>> login, but validation definitely shouldn't.
>>
>> It's also possible that you already have a session open with your IdP.
>>   In that case, you wouldn't necessarily see a login flow at all.
>>
>
> +1
>
> I've been working on IdPs and WebRTC recently, and I also don't see why
> double login would be necessary. Where does this idea come from?
>
> Simon
> --
> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> STUN/TURN server               --> http://numb.viagenie.ca
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>