W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 23 Sep 2015 12:39:23 -0400
Message-ID: <5602D5BB.5030306@w3.org>
To: Dave Longley <dlongley@digitalbazaar.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>
CC: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>

I simply do not believe that writing a spec for an identity or
authentication system and then pushing it to W3C browsers is a good way
for the authors of the specs to learn security and privacy basics. It is
much better for learning fundamentals like same origin policy for
learning to be done in private, rather than in public mailing lists,
where these emails are beginning to verge on spam for many people.

Again, exposing a single X.509 certificate (or public-private keypair)
to identify oneself across *all* websites won't make sense. In
particular "secure golden keys" tend to have operational failures that,
the more they are deployed, tend to effect larger user-bases.
Furthermore, one key-per person is I believe quite totalitarian in any
sense of the word - and key sizes and algorithms may be in a state of
flux over the coming years. Furthermore, one identifier per person is a
perfect tracking tool. One key to rule them all didn't work for Sauron,
I see no reason to see why it would on the Web :)

  I understand some people like Henry Story, Anders, and perhaps
yourself believe such schemes based on 'one key to rule them all' and
violating the same origin policy are good ideas, but the consensus from
W3C membership and the wider security and privacy community is that
these ideas and 'specs' are known broken and many e-mails if have been
sent explaining this to people and yet these ideas/specs are for the
most part unrevised.  Thus, people who back these schemes should simply
stop pushing them on W3C mailing lists. Instead, they should go back to
the drawing board or use existing, well-defined standards such as those
produced by the WebAppSec WG. Myself and others would be happy to
provide guidance and reading material off-list. E-mail addresses or
other identifiers that are not bound up with cryptographic primitives
but can be bound to them as appropriate and dynamically make much more
sense. For a good example of this in action, you may want to look at
OAuth and the TLS Token Binding work at IETF.


On 09/23/2015 12:04 PM, Dave Longley wrote:
> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>> In my opinion the #1 problem with this discussion is that when you
>>> mention
>>> things that doesn't match the SOP vision like the fact that Android-,
>>> Apple-,
>>> and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>> Since the same origin policy is the primary meaningful security boundary
>> on the Web, I expect for most people interested in security and privacy
>> that emails that dismiss SOP are generally put in the spam folder.
>> I do understand some people are interested in creating, for example,
>> 'unique identifier' across all websites such as in the form of a X.509
>> certificate. These sort of  totalitarian identity scheme...
> "dismissing"? "totalitarian"? These words have meanings that don't
> seem to line up with their usage here, but their connotations do yield
> negative visceral reactions. Is the goal discord or understanding?
> I've really only been following this thread from the sidelines, but
> who has dismissed SOP? Who has shown interest in creating a 'unique
> identifier' across all websites? Are you referencing a different
> discussion?
> I have seen more subtle arguments put forth than what you suggest.
> Even advocates of using an email address from a super provider as a
> 'unique identifier' don't suggest it be done across *all* websites.
> It is considered good practice to avoid setting up strawmen arguments
> or those that can't be differentiated from such because of a lack of
> context. Strawmen are easy to create and fun to knock down, but they
> don't advance a discussion in any substantive way. You can't
> demonstrate that an argument is lacking in substance by attacking a
> different argument.
> It's also recommended that we be fairly slow in convincing ourselves
> that we have a good grasp on the measure of what other people
> understand. Miscommunication is commonplace on the Internet. It takes
> a while to gather enough information to really understand what another
> person is thinking. If you don't have that time, that's fine, don't
> engage. I'm on board with that aspect of your argument.
> However, I would consider it a mistake to dismiss (proper usage) your
> email on the basis that you had some basic semantic and grammatical
> errors. A few mistakes, trivial or otherwise, are not sufficient
> information for one to judge the totality of another's understanding
> of a subject. Telling someone who makes a mistake that have to come
> back after they've completed a task that cannot possibly eliminate all
> mistakes is just a different way of expressing the halting problem.
Received on Wednesday, 23 September 2015 16:39:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC