Re: Removing trolls and off-topic conversation from Web Security IG? [was Re: A Somewhat Critical View of SOP (Same Origin Policy)]

On 09/23/2015 12:25 PM, Martin Paljak wrote:
> Hello,
>
> On 23/09/15 18:45, Harry Halpin wrote:
>> At this point, I think it would be a useful discussion for the Chair of
>> the IG to move the IG to member-only in a re-chartering, as it may be
>> the only way to keep the discussion on-topic.
> What exactly is off-topic or trolling?
>
> It seems to me that people have quite nicely tried to bring up the
> possibility of at least *discussing* security models other than SOP for
> certain scnarios, but are being turned down with "you don't seem to know
> how the Web works, the Web will not work with that, only SOP is ever
> being discussed, period".
>
> While SOP is a fundamental principle for web security, I don't think it
> is *the* principle everything and anything must comply to. Am I wrong?
>
> Maybe it makes sense to remind two nice sayings:
>
> "Browser is supposed to be a User-Agent, not Industry-Agent"
> and
> "If all you have is a hammer, everything starts to look like a nail"
>
> I don't know what exactly you think by "the Web" but it seems that there
> is a fundamental difference in understanding what the user actually
> wants or is supposed to want or is allowed to want.
>
> Clearly articulating that you don't care and don't want to listen is OK,
> but rejecting meaningful dialogue by masking it as "trolling" is not
> going to lead to fruitful results.
>
> I think it is obvious that there is a fundamental difference between how
> certain groups think or envision "the web" but I see no fundamental
> reason why the two groups can't work together on technical terms,
> finding the balance and compromises between the different approach to
> security, privacy etc.
>
> Except for "don't want to play together, so no point in trying" is the
> reason, in which case it really makes no sense. That's not the web I'm into.

I am bringing up the point that the Web Security Interest Group is based
on the "Web", whose only meaningful security boundary is the Same Origin
Policy.

It would of course be within scope on how to tie existing, non-Web
security models to the Web Security Model and to respect the same origin
policy. I suggested for example, per-origin based key derivation. There
are many other possible routes.

However, throwing Same Origin Policy out would be out of scope and is a
non-starter likely for anything that be implemented. If there are basic
problems understanding the Same Origin Policy, I believe this should be
addressed off-list. For non-Web security standards, there are many other
forums to chose from.

   cheers,
       harry



>
>
>
> Martin

Received on Wednesday, 23 September 2015 16:43:43 UTC