[rtcweb] IdP and universal trust

Martin Thomson <martin.thomson@gmail.com> Thu, 29 March 2012 11:26 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E752F21F8976 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 04:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.813
X-Spam-Status: No, score=-4.813 tagged_above=-999 required=5 tests=[AWL=-1.214, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ijXSEtpTkXo3 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 04:26:00 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3492321F8974 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 04:26:00 -0700 (PDT)
Received: by bkuw5 with SMTP id w5so2032855bku.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 04:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=eW40zb0AD7QTwGPNq4B2rbLxL9C8BtT4nzktptj5gcE=; b=kJZ63mBAEvjjwH8fNDavmSc6zV0u25MkxtBv80DWb7ytRDj1SNZMSPZvHdhnJXNJma zkCGzODUnoGkRZoFaIbQ3B/+uofyzl8ESsozEOPmPN4e9C+vW91Bkn5+JU81coSa05MN l7YonRS8OnVRxAcNKDg/AIggCHc12dwc37fLXQew/QyjlaYErOX5YnZeNbCZMTlLGx4P KQ1SFJGd3LfqyRAAdYmopWQLJagY5FwRcTBYW7lY0fNBV6FB8Hx90rzc9xEe68RxA0ql RAn21aC9abkqfA7sE3L+6x9UZcl3Q7rGJhqVhy32DvX3qM/Noz2xFIM1XnTs91T+qTXz JiXg==
MIME-Version: 1.0
Received: by with SMTP id e12mr13768252bkw.29.1333020359297; Thu, 29 Mar 2012 04:25:59 -0700 (PDT)
Received: by with HTTP; Thu, 29 Mar 2012 04:25:59 -0700 (PDT)
Date: Thu, 29 Mar 2012 13:25:59 +0200
Message-ID: <CABkgnnWwaAgF5YQ0dP45yeYetRjBuuSt2C9epHtcTcUqeRkd+g@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Randell Jesup <randell-ietf@jesup.org>, "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: [rtcweb] IdP and universal trust
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 11:26:01 -0000

On 29 March 2012 08:08, Hadriel Kaplan <HKaplan@acmepacket.com> wrote:
> Yeah I've been trying to figure out if there's some advantage to having a gateway be able to indicate "gateway@telco.com".com", once there is an IdP model.  I would think it's a major pita to deploy such a thing on gateways, unless there's a very popular IdP they could know everyone would trust.  It would actually be easier to just give the gateway a real TLS cert for DTLS to use, from a major CA, since gateways are the types of systems real certs would be reasonably possible to install on.

This is an important point, and I think that perhaps you missed the
distinction. Iff third party assertions are permitted, then the
problem that you refer to - namely, finding someone that others trust
- is somewhat difficult.  On the other hand, it is also true that you
can gain multiple assertions and increase the chances of finding an
acceptable IdP.

What seems more likely is that IdPs are only going to be authoritative
for their own domain.  The overall story is a lot easier to tell.
This has the nice quality that you don't have to trust the IdP, you
only have to trust their CA.