RE: Harmonizing same-origin and cross-origin credentials from Joerg.Heuer@telekom.de on 2015-05-21 (public-credentials@w3.org from May 2015)

From: <Joerg.Heuer@telekom.de>
Date: Thu, 21 May 2015 17:09:46 +0200
To: <melvincarvalho@gmail.com>, <msporny@digitalbazaar.com>
CC: <public-credentials@w3.org>
Message-ID: <FB5E170315856249A4C381355C027E450290341A0058@HE100041.emea1.cds.t-internal.com>

Hi!

Just a remark after wading through security philosophies in different contexts:

We web-thinkers shouldn’t be so arrogant to think that we’d know whether a credential is of the same origin or not. The best way to provide higher level security is still to provision something ‘out of band’ because this could not be controlled by an attacker sitting on one device and controlling all I/O there. The only guy who knows whether credential B belongs to service A is the user.

And if we are here to solve security challenges for the user, we need to empower the user to make such decisions consciously and knowingly.

SOP is a great thing – and even greater is the web. The world is still much bigger. And the world outside of the web holds high potential to solve a few problems within the web.

Cheers,
                Jörg

From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
Sent: Montag, 18. Mai 2015 23:26
To: Manu Sporny
Cc: Credentials Community Group
Subject: Re: Harmonizing same-origin and cross-origin credentials



On 18 May 2015 at 22:12, Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
Just keeping this group in the loop wrt. WebAppSec and credentials.

The discussion with the Web Application Security WG is ongoing. We just
had a telecon today[1] (search for "manu") about a status update related
to harmonizing same-origin and cross-origin credentials:

https://lists.w3.org/Archives/Public/public-webappsec/2015May/0101.html


In general, here's where we are:

1. The Credentials Management API has an extensibility mechanism, and
   we assert that the future Web Payments IG/WG and Credentials CG/WG
   work would like to use it.
2. We don't know if this extensibility mechanism will work for
   cross-origin credentials, which will more than likely be a hard
   requirement for the future Web Payments IG/WG and Credentials CG/WG.
3. We don't want the future Web Payments IG/WG and Credentials CG/WG
   to effectively duplicate the work done in this group because the
   extensibility mechanism doesn't work for them.
4. We're working on getting a concrete but drafty cross-origin
   extension done in the Credentials CG by the end of this week.
5. We don't want WebAppSec to take on work they're not chartered to do.

Great work Manu

re: "It is likely that cross-origin credentials are going to be a hard requirement when the Web Payments WG"
Totally agree.


-- manu

[1] http://www.w3.org/2015/05/18-webappsec-minutes.html


--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/

Received on Thursday, 21 May 2015 15:32:45 UTC