W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 17 Sep 2015 16:09:19 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <80141371.nsr0gGeRaX@hegel>

point taken and going back to the desk to learn more about it to find out how 
to use the one in making the other happen. 


On Thursday 17 September 2015 13:51:03 Brad Hill wrote:
> > 3/ Is FIDO excluding all other authentication and security tools
> > 
> > No. I believe there is a place for something else that is less dependent
> > on
> > large origins for their trust relation... --Rigo
> Again, with respect, this fundamentally misunderstands what FIDO does.
> FIDO works directly between end users and the sites they visit.  There is
> no third party dependency, let alone any relationship to "large origins"
> AKA "super-providers".
> This is exactly the beauty of de-coupling strong authentication from
> Identity,  FIDO makes strong authentication instantly available to every
> web application at every scale, without having to establish *any* trust
> relationships with third parties.  The relationships between users and
> applications are unmediated.
> How you exchange Identity or AuthZ assertions is an independent problem.
> Federation is one way (which happens to have a large installed base and
> history of successful deployment) but it's an orthogonal issue.  FIDO can
> work with this, but it can work as well with other technologies.  Whatever
> shortcomings you may think that federation systems as deployed today, they
> are not shortcomings of FIDO.
> You can even do an Identity-entangled authentication with a client
> certificate, and then re-authenticate with FIDO over that secure channel.
> FIDO is just strong authentication, sans identity.  So rather than trying
> to hang the sins (whatever they are) of Federated Identity around FIDO's
> neck, you might instead consider whether perhaps the fact that we've failed
> to deploy strong authentication successfully at scale for so many years has
> anything to do with the fact that so far we've always made it dependent on
> a grand vision of Identity.
> Maybe we can do better by solving one hard problem at a time and using
> composable solutions.  To me, being able to make independent choices about
> the method and strength of my authentication, and whether and how I share
> information about my identity, seems to be much more respectful of the
> principle of User Choice than any entangled solution can ever be.
> -Brad

Received on Thursday, 17 September 2015 14:09:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC