Re: A Somewhat Critical View of SOP (Same Origin Policy) from Harry Halpin on 2015-09-29 (public-web-security@w3.org from September 2015)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 28 Sep 2015 20:21:48 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>, Rigo Wenning <rigo@w3.org>
CC: Brad Hill <hillbrad@gmail.com>, Dave Longley <dlongley@digitalbazaar.com>, public-web-security@w3.org
Message-ID: <5609D99C.2070302@w3.org>
On 09/28/2015 07:00 PM, Melvin Carvalho wrote:
>
>
> On 26 September 2015 at 12:33, Rigo Wenning <rigo@w3.org
> <mailto:rigo@w3.org>> wrote:
>
>     On Wednesday 23 September 2015 19:01:17 Brad Hill wrote:
>     > But here we are, in 2015, and Identity is still the White Whale
>     of the Web.
>
>     This in itself is shows a really fundamental difference in the
>     understanding
>     of identity, its social functions and the expectations attached to it.
>
>
> Having followed identity for 10 years, since Brad Fitzpatrick's
> pivotal work on OpenID, I would say it has been very hard to make any
> progress at all.  What has been described as "schoolboy politics"
> seems to hinder progress in the consensus process.  Typically this
> consists of a world view that cannot contemplate an inclusive approach
> and will actively work to censor that conversation.  I have noticed
> that every time this topic has made progress, someone will jump in and
> try and shut it down.  Most recently this occurred in the social web
> WG but it has been consistent over about a dozen efforts inside and
> outside the W3C.
>
> The technicals are much easier than the politics, provides that there
> is a willingness to follow existing web standards.  It simply boils
> down to using URIs to name things.  Something we all agree in
> principle, but never do in practice.  It still is the white whale of
> the web, I really hope it's possible make more progress in the next 5
> years than we have in the last.  The way to do that is to allow the
> conversation to happen and be tolerant of other people's ideas.
>  

There is no disagreement on using URIs to name things (although URIs
clearly are not *actually* decentralized, as they rely on DNS and as
such ICANN). I believe there is a disagreement in terms of accessing the
*same* identifiers from a browser *per user* across the Web. For
example, in using client certificates and other X.509 infrastructure
(and uniquely identifying government eID schemes) without adaptation to
SOP. You could imagine, for example, access different identifiers (add
in an origin to a key derivation function) or even ZKPs
(proofs-of-possession) per user for authentication. Then on the
server-to-server authorization flows, one can use whichever identifier
system one likes, URIs included.

Again, we don't have to 'shut conversation down.' However, if a
technical idea has not succeeded in ten years or more, it is likely
because there are some fundamental technical flaws in the idea itself,
and so continued attempts to convince others of the project's success
are likely to not be successful. This may simply be a fault of a
particular technical approach, even if the fundamental idea is sound.
For example, user-centric and user-controlled identity is likely a sound
idea. XRIs, Infocards, OpenID 1.0, Mozilla Persona, WebID+TLS, etc. seem
to have all been pretty flawed and have all failed to gain real market
adoption.

>
>     BTW, in a project we implemented the chaum credentials for age
>     verification
>     and other anonymous credentials (with IBM, MS, SAP and others).
>     People were
>     interested. There were IPR issues in the way. And the believe of
>     many web
>     actors that knowing somebody's name, having a profile, having a
>     "identity"
>     equals "trust" needed for ecommerce. So "browser makers" were not
>     interested
>     because it wasn't a mainstream thought. Arguing Zeitgeist doesn't
>     mean the
>     Zeitgeist is right or that the Zeitgeist can't change.
>


Actually, there was interest from Microsoft, although Google pointed out
that revealing some of the Montgomery Matrix multiplications was not
usually the sort of thing developers could handle in other Crypto APIs.
We attempted to have a phone call with the ABC4TRUST team leading the
effort and invited various academics to telecons. Alas, they never showed.

I do think there is place for zero-knowledge proof mechanisms on the Web
in terms of authentication, and last time I checked the patent issues
were possibly in IBM's ballcourt, not the browser vendors.  There was
some early versions of the European eID Directive that were encouraging
its use and I was hopeful on that front (and spoke in their support at
European Parliament), but they were also edited out. So the failure
point here seems at least equally shared among the people backing
'attribute-based' credentials not working hard enough to get them
adopted, including not actually discussing with browser vendors even
when given the opportunity.

>
>     And only because the current browser makers believe that SOP is
>     the only way
>     to scope a credential or token doesn't mean it is really the only
>     way. It just
>     means that it is more difficult to get implementation if a viable
>     solution is
>     found. We had that for over 10 years with Microsoft pouting CSS,
>     isn't it?
>


SOP is about process separation for running Javascript code in a browser
environment. All platforms (i.e UNIX, etc.) do have that, and increasing
boundaries and making them explicit is always a good thing.

Again, there is no reason why SOP can't work with zero-knowledge proofs,
URIs as human-centric identifiers, etc. You simply have to scope the
authentication mechanism on a per origin basis (again, a very good thing
for privacy) and then use explicit permissions. This can be done via
FIDO+OAuth based solutions, and I see no reason why particular
authenticators (including smartcards, eID systems, etc.) can't do it
with other authentication and authorization flows.

In fact, the main problem is seem to be that non-Web or pre-Web (i.e.
traditional PKI) solutions are being pushed onto the Web, and the
reaction against how this is a mis-match to SOP and leaking non-Web
unique identifiers to the Web  from the perspective of privacy
advocates, Web developers and browser-makers. If a standard that rather
blatantly violated reasonable privacy and security assumptions came out
in the name of "user control", it is more likely that users themselves
would be upset.

Balancing control between the origin of the code and the users is
useful, but users tend to have limited time/overhead to deal with
anything more than a very limited set of permissions. Key management
works fairly poorly for PGP, and I don't see how we could expect your
average Web user to do more.

         cheers,
                 harry
>
>
>     So arguing a dichotomy isn't helping IMHO.  But of course I hear
>     your warnings
>     about past mistakes and I still feel my own defeats in the EU
>     electronic
>     signature circus where I failed to convince others that their HIGH
>     security
>     requirements will not work with Web integration. What I want is a real
>     discussion and not just the throwing of drop-dead-arguments.
>
>      --Rigo
>
>
Received on Tuesday, 29 September 2015 00:21:51 UTC