Re: A Somewhat Critical View of SOP (Same Origin Policy) from henry.story@bblfish.net on 2015-09-26 (public-web-security@w3.org from September 2015)

From: <henry.story@bblfish.net>
Date: Sat, 26 Sep 2015 12:03:58 +0100
To: Alex Russell <slightlyoff@google.com>
Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-Id: <E3D4BD93-64E7-41E2-B20B-CFE7F13E840C@bblfish.net>

> On 25 Sep 2015, at 22:46, Alex Russell <slightlyoff@google.com> wrote:

[snip web payments points which I am learning about and don't want to comment on yet -  I did not write those up]
> That client certificates are somehow "safe" because they can invoke UI for users. This isn't always the case for non-browser consumers of the global keystore in some OSes.
The point should be that client certificates used across origin are safe IF they put the user in control of the use of the certificate. This applies to X509 or other cryptographic material.

If other applications do not put the user in control of the usage of certificates (when used across origins) then it would follow that they are not well behaved.

What applications do you have in mind? That would help. 
> Further, it misinterprets the FIDO threat and provisioning model. 
There were a number of questions there, that were designed to help consider how cross site identity is
enabled by FIDO by putting the user in control. This is not meant to be a criticism of FIDO, but an
attempt to show that the rule is actually: cross origin information can be exchanged so long as the user is in control. 
> The section on WebCrypto is simply nonsensical. I literally don't know which error to tackle first.
I wrote it too quickly probably. I have updated it and clarified the language. 

If you still find issues with it, please just select the 2 or thee top ones. It may just be something that can 
be improved in the text, or it may actually be that I have misunderstood something important, in which case
I'll remove the offending text.

Hopefully in the next few days I will be able to use WebCrypto so that I have actual hands on experience of it.
That will force me to read the spec much more carefully, and probably help make the point even more clearly.

> 
> It would save the authors/contributors considerable embarrassment if it were edited down to solid facts.

I did cite a lot of specifications and IETF documents.

Btw, yesterday [1] I pointed out that FIDO does allow cross origin use of public key materials in the specification of the facets document [2].  Is this a correct reading? If you don't disagree I'll add it to the wiki as an interesting case of how SOP can be extended.

As we collect these points it may become clearer what the issues actually are.

[1] https://lists.w3.org/Archives/Public/public-web-security/2015Sep/0087.html <https://lists.w3.org/Archives/Public/public-web-security/2015Sep/0087.html>[2] https://fidoalliance.org/wp-content/uploads/html/fido-appid-and-facets-v1.0-ps-20141208.html

> 
> Regards
> 
> On Thu, Sep 24, 2015 at 3:08 AM, GALINDO Virginie <Virginie.Galindo@gemalto.com <mailto:Virginie.Galindo@gemalto.com>> wrote:
> Henry,
> 
> I rely on your constructive sense of communication to feed the wiki page I have indicated here https://www.w3.org/Security/wiki/IG/a_view_on_SOP <https://www.w3.org/Security/wiki/IG/a_view_on_SOP> and stop arguing against particular email in this thread.
> 
> If we have a problem, lets *document* it.
> 
> Thank you.
> 
> Virginie
> Chair of the Web Security IG
> 

Social Web Architect
http://bblfish.net/

Received on Saturday, 26 September 2015 11:04:29 UTC