Re: A Somewhat Critical View of SOP (Same Origin Policy)

On 2015-08-29 16:17, Andrew Sullivan wrote:
> On Sat, Aug 29, 2015 at 10:21:12AM +0200, Anders Rundgren wrote:
>> A core part of the Web Security model is based on SOP.
>>
>> However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc.
>>
>
> Some of us believe that part of the reason the world isn't working
> that way is that the SOP elevates the value of information you get
> from a domain name in a URL.  We're trying to do something about it in
> the IETF's DBOUND WG, and we could use some help.  In particular,
>
>> This is where it (IMO) gets wrong.  If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task?
>>
>
> I believe that the problem is partly that it's hard for an operator of
> a site to declare complicated policies about relationships with other
> domains on the Internet.  I think that the efforts in DBOUND are at
> least a step forward, but I worry that people think that a slightly
> more capable maintenance regime for the PSL (public suffix list) will
> be enough.  To me, the PSL is already inadequate and just trying to
> make its maintenance easier is a waste of effort.


I think I understand what you are trying to accomplish.
DBOUND is about resource sharing between related domains, right?

That's cool but I'm working in other end of the spectrum where Unrelated, Competing,
and Independent domains are requesting users for resources like money.

That is, challenging the 20Y+ standstill on Secure AND Convenient payments on the Web
without the world having to fully buy into the "Super-Provider" concept.

Of course I and 99.999% of all "Netizens" are devoted users of various super-provider
services, but this should be market-based choices rather than depending on limitations
in the architecture of the Web.

Best regards,
Anders

>
> Best regards,
>
> A
>

Received on Sunday, 30 August 2015 04:46:58 UTC