W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 16 Sep 2015 11:15:22 -0400
Message-ID: <55F9878A.2060803@digitalbazaar.com>
To: Tony Arcieri <bascule@gmail.com>, Henry Story <henry.story@co-operating.systems>
CC: Rigo Wenning <rigo@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
On 09/15/2015 10:05 PM, Tony Arcieri wrote:
>> On Tue, Sep 15, 2015 at 2:27 PM, Henry Story
>> <henry.story@co-operating.systems
>> <mailto:henry.story@co-operating.systems>> wrote:
>> As long as she can select the identity she wishes to use, and
>> change identity when she wants to, or become anonymous: she must
>> be in control.
> You're conflating authentication with identity. Repeatedly. As Brad
> Hill already called out, but I'll continue calling it out.

I'm mostly following this conversation from the sidelines but wanted to
offer input that I hope will help resolve some miscommunication. It
seems that there's a decent bit of definition dissonance with the terms
authentication and identity and, without addressing that, some
participants will continue to speak past one another.

I'll offer my view of these terms in the hope that it is useful in
resolving that miscommunication:

I think it's certainly true that authentication and identification *are
not the same thing*, but that it is also true that the two are, in fact,
inextricably linked, in this sense:

Expressing one or more attributes of an entity is to identify it. To
authenticate is to establish the veracity of such a claim made about an
entity. It follows that authentication is the act of confirming an
identity. The *scope* and *meaning* of a particular identity is a
separate issue that does not effect this linkage. It is scope and
meaning that seem, at least to me, to be at the center of this
discussion, not the conflation of identity and authentication.

For example, it's perfectly reasonable to limit the scope of an identity
to a single origin and its meaning to "the owner of a private key".
Similarly, it's perfectly reasonable to limit the scope of an identity
to "my close group of friends" and its meaning to "the personality I
present to them".

Human beings use identity in a whole variety of different ways to
present different aspects of themselves. Humans have unique identities
that they present in particular relationships and common identities that
they present across relationships.

In society, the authentication mechanism to identify one's self is
sometimes the same for different identities. I present the same face to
a friend that I present to a professional colleague, but the identity
that they associate with me varies. This can make privacy difficult, and
sometimes humans want to keep certain identities more private by using
authentication mechanisms that don't tie them together.

It is both important that humans are able to make the identity choices
they want to make on the Web and that they can easily understand those
choices and their implications. We shouldn't delude ourselves into
thinking humans won't demand to be able to act as they do in society in
their digital lives. We also shouldn't delude ourselves into thinking
that making sure people can safely make the choices they want to make is
an easily solved problem.

Dave Longley
Digital Bazaar, Inc.
Received on Wednesday, 16 September 2015 15:15:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC