W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: Removing trolls and off-topic conversation from Web Security IG? [was Re: A Somewhat Critical View of SOP (Same Origin Policy)]

From: Hadi Nahari <hnahari@nvidia.com>
Date: Wed, 23 Sep 2015 17:36:11 +0000
To: Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <D2282EAE.173CEF%hnahari@nvidia.com>


On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote:

>On 09/23/2015 12:25 PM, Martin Paljak wrote:
>> Hello,
>>
>> On 23/09/15 18:45, Harry Halpin wrote:
>>> At this point, I think it would be a useful discussion for the Chair of
>>> the IG to move the IG to member-only in a re-chartering, as it may be
>>> the only way to keep the discussion on-topic.
>> What exactly is off-topic or trolling?
>>
>> It seems to me that people have quite nicely tried to bring up the
>> possibility of at least *discussing* security models other than SOP for
>> certain scnarios, but are being turned down with "you don't seem to know
>> how the Web works, the Web will not work with that, only SOP is ever
>> being discussed, period".
>>
>> While SOP is a fundamental principle for web security, I don't think it
>> is *the* principle everything and anything must comply to. Am I wrong?
>>
>> Maybe it makes sense to remind two nice sayings:
>>
>> "Browser is supposed to be a User-Agent, not Industry-Agent"
>> and
>> "If all you have is a hammer, everything starts to look like a nail"
>>
>> I don't know what exactly you think by "the Web" but it seems that there
>> is a fundamental difference in understanding what the user actually
>> wants or is supposed to want or is allowed to want.
>>
>> Clearly articulating that you don't care and don't want to listen is OK,
>> but rejecting meaningful dialogue by masking it as "trolling" is not
>> going to lead to fruitful results.
>>
>> I think it is obvious that there is a fundamental difference between how
>> certain groups think or envision "the web" but I see no fundamental
>> reason why the two groups can't work together on technical terms,
>> finding the balance and compromises between the different approach to
>> security, privacy etc.
>>
>> Except for "don't want to play together, so no point in trying" is the
>> reason, in which case it really makes no sense. That's not the web I'm
>>into.
>
>I am bringing up the point that the Web Security Interest Group is based
>on the "Web", whose only meaningful security boundary is the Same Origin
>Policy.
>
>It would of course be within scope on how to tie existing, non-Web
>security models to the Web Security Model and to respect the same origin
>policy. I suggested for example, per-origin based key derivation. There
>are many other possible routes.
>
>However, throwing Same Origin Policy out would be out of scope and is a
>non-starter likely for anything that be implemented. If there are basic
>problems understanding the Same Origin Policy, I believe this should be
>addressed off-list. For non-Web security standards, there are many other
>forums to chose from.
>
>   cheers,
>       harry
>
>
>
>>
>>
>>
>> Martin
>
>

Harry;

I have been following this specific thread with a great deal of interest
and havenıt felt spammed. I think your attempt to shut this down is out of
line, though I agree that a bit of civility could help. The [non-]
argument of ³you donıt know how [X] works² is not logical reasoning, and
does not replace it.

>> Š ³whose only meaningful security boundary is the Same Origin Policy.
I disagree. This is the whole reason that having conversations like this
is useful so that we ³evaluate² whether this is true, rather than ³assert²
it.

Letıs, instead, follow and apply rules of civilized argumentation, rather
than just shut things down. Not cool.

Regards,
-Hadi
P.S. Though I donıt agree with all Mr. Rundgrenıs assertions, but have
also seen some vile attacks/responses against him, which I think are
unwarranted. D.S.

\-------------------------------------
Hadi Nahari, Chief Security Architect
NVIDIA, +1.408.562.7916
--------------------------------------\
Dubito ergo mihi licet esse



-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information.  Any unauthorized review, use, disclosure or distribution
is prohibited.  If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
Received on Wednesday, 23 September 2015 17:36:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC