W3C home > Mailing lists > Public > public-credentials@w3.org > May 2015

RE: Harmonizing same-origin and cross-origin credentials

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 21 May 2015 19:13:40 +0200
Message-ID: <CADEL5zt25cC0QaK3ann5DFP_KC0Tjq4GBOf-+Re-2dgrM-VM4g@mail.gmail.com>
To: Joerg.Heuer@telekom.de
Cc: W3C Credentials Community Group <public-credentials@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, melvincarvalho@gmail.com
On May 21, 2015 5:33 PM, <Joerg.Heuer@telekom.de> wrote:
>
> Hi!
>
>
>
> Just a remark after wading through security philosophies in different
contexts:
>
>
>
> We web-thinkers shouldn’t be so arrogant to think that we’d know whether
a credential is of the same origin or not. The best way to provide higher
level security is still to provision something ‘out of band’ because this
could not be controlled by an attacker sitting on one device and
controlling all I/O there. The only guy who knows whether credential B
belongs to service A is the user.
>
>
>
> And if we are here to solve security challenges for the user, we need to
empower the user to make such decisions consciously and knowingly.
>
>
>
> SOP is a great thing – and even greater
> is the web. The world is still much
> bigger. And the world outside of the
> web holds high potential to solve a few
> problems within the web.

Since the web lives in [mostly] SOP-crippled sandboxes, I'm curious to hear
how the world outside of the web is supposed to solve problems within the
web.

As a side note, TLS client cert auth supported by all browsers is
completely free from SOP constraints which I guess is one reason why Google
considers it unsuitable for consumers.

Anders
>
>
>
> Cheers,
>
>                 Jörg
>
>
>
> From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
> Sent: Montag, 18. Mai 2015 23:26
> To: Manu Sporny
> Cc: Credentials Community Group
> Subject: Re: Harmonizing same-origin and cross-origin credentials
>
>
>
>
>
>
>
> On 18 May 2015 at 22:12, Manu Sporny <msporny@digitalbazaar.com> wrote:
>
> Just keeping this group in the loop wrt. WebAppSec and credentials.
>
> The discussion with the Web Application Security WG is ongoing. We just
> had a telecon today[1] (search for "manu") about a status update related
> to harmonizing same-origin and cross-origin credentials:
>
> https://lists.w3.org/Archives/Public/public-webappsec/2015May/0101.html
>
> In general, here's where we are:
>
> 1. The Credentials Management API has an extensibility mechanism, and
>    we assert that the future Web Payments IG/WG and Credentials CG/WG
>    work would like to use it.
> 2. We don't know if this extensibility mechanism will work for
>    cross-origin credentials, which will more than likely be a hard
>    requirement for the future Web Payments IG/WG and Credentials CG/WG.
> 3. We don't want the future Web Payments IG/WG and Credentials CG/WG
>    to effectively duplicate the work done in this group because the
>    extensibility mechanism doesn't work for them.
> 4. We're working on getting a concrete but drafty cross-origin
>    extension done in the Credentials CG by the end of this week.
> 5. We don't want WebAppSec to take on work they're not chartered to do.
>
>
>
> Great work Manu
>
> re: "It is likely that cross-origin credentials are going to be a hard
requirement when the Web Payments WG"
>
> Totally agree.
>
>
>>
>>
>> -- manu
>>
>> [1] http://www.w3.org/2015/05/18-webappsec-minutes.html
>>
>> --
>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
>> Founder/CEO - Digital Bazaar, Inc.
>> blog: High-Stakes Credentials and Web Login
>> http://manu.sporny.org/2014/identity-credentials/
>
>
Received on Thursday, 21 May 2015 17:14:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:23 UTC