- From: Siva Narendra <siva@tyfone.com>
- Date: Wed, 23 Sep 2015 11:21:23 -0700
- To: Harry Halpin <hhalpin@w3.org>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CAJhTYQwJpZsfcOAoUoCE5sU+ggFTyhecx+ODc-+iNSbb0jktvw@mail.gmail.com>
+1 - Harry's comments. Open but civil and keep implementations relevant. *--* *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore | Taipeiwww.tyfone.com <http://www.tyfone.com>* *Voice: +1.661.412.2233* On Wed, Sep 23, 2015 at 11:08 AM, Harry Halpin <hhalpin@w3.org> wrote: > On 09/23/2015 01:36 PM, Hadi Nahari wrote: > > > > On 9/23/15, 9:43 AM, "Harry Halpin" <hhalpin@w3.org> wrote: > > > >> On 09/23/2015 12:25 PM, Martin Paljak wrote: > >>> Hello, > >>> > >>> On 23/09/15 18:45, Harry Halpin wrote: > >>>> At this point, I think it would be a useful discussion for the Chair > of > >>>> the IG to move the IG to member-only in a re-chartering, as it may be > >>>> the only way to keep the discussion on-topic. > >>> What exactly is off-topic or trolling? > >>> > >>> It seems to me that people have quite nicely tried to bring up the > >>> possibility of at least *discussing* security models other than SOP for > >>> certain scnarios, but are being turned down with "you don't seem to > know > >>> how the Web works, the Web will not work with that, only SOP is ever > >>> being discussed, period". > >>> > >>> While SOP is a fundamental principle for web security, I don't think it > >>> is *the* principle everything and anything must comply to. Am I wrong? > >>> > >>> Maybe it makes sense to remind two nice sayings: > >>> > >>> "Browser is supposed to be a User-Agent, not Industry-Agent" > >>> and > >>> "If all you have is a hammer, everything starts to look like a nail" > >>> > >>> I don't know what exactly you think by "the Web" but it seems that > there > >>> is a fundamental difference in understanding what the user actually > >>> wants or is supposed to want or is allowed to want. > >>> > >>> Clearly articulating that you don't care and don't want to listen is > OK, > >>> but rejecting meaningful dialogue by masking it as "trolling" is not > >>> going to lead to fruitful results. > >>> > >>> I think it is obvious that there is a fundamental difference between > how > >>> certain groups think or envision "the web" but I see no fundamental > >>> reason why the two groups can't work together on technical terms, > >>> finding the balance and compromises between the different approach to > >>> security, privacy etc. > >>> > >>> Except for "don't want to play together, so no point in trying" is the > >>> reason, in which case it really makes no sense. That's not the web I'm > >>> into. > >> I am bringing up the point that the Web Security Interest Group is based > >> on the "Web", whose only meaningful security boundary is the Same Origin > >> Policy. > >> > >> It would of course be within scope on how to tie existing, non-Web > >> security models to the Web Security Model and to respect the same origin > >> policy. I suggested for example, per-origin based key derivation. There > >> are many other possible routes. > >> > >> However, throwing Same Origin Policy out would be out of scope and is a > >> non-starter likely for anything that be implemented. If there are basic > >> problems understanding the Same Origin Policy, I believe this should be > >> addressed off-list. For non-Web security standards, there are many other > >> forums to chose from. > >> > >> cheers, > >> harry > >> > >> > >> > >>> > >>> > >>> Martin > >> > > Harry; > > > > I have been following this specific thread with a great deal of interest > > and haven¹t felt spammed. I think your attempt to shut this down is out > of > > line, though I agree that a bit of civility could help. The [non-] > > argument of ³you don¹t know how [X] works² is not logical reasoning, and > > does not replace it. > > I believe it should be expected that in addition to civility, folks on > this list need to have a basic understanding of the Web and security. > Thus, a move to an Invited Expert/Member model may be appropriate to the > IG. > > > > >>> Š ³whose only meaningful security boundary is the Same Origin Policy. > > I disagree. This is the whole reason that having conversations like this > > is useful so that we ³evaluate² whether this is true, rather than > ³assert² > > it. > > > > Let¹s, instead, follow and apply rules of civilized argumentation, rather > > than just shut things down. Not cool. > If you have a different security and privacy boundary than SOP, you > should articulate it. > > However, Anders and others seem to be insinuating there is a conspiracy > against them rather than clearly articulating their desired > security/privacy boundary, when the problem may instead be, as I pointed > out, the fact that proposals to break SOP have security/privacy problems > and these should be addressed by adapting these proposals to SOP. > Greater permissions, access to hardware tokens, user control over > Javascript, and other useful security/privacy could be accomplished > without breaking SOP. When arguing to replace SOP, you should first > prove what you want can't be done within SOP and why. > > Simply throwing out security/privacy boundaries on the Web would make > things *much* worse for end-users, enable easier-tracking, and open > whole new attack surfaces. For an example of how 'extension' models that > don't respect SOP go wrong, browser extensions are a useful example: > > http://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/ > > Thus, causing changes in browsers like Mozilla: > > http://www.scmagazineuk.com/mozilla-changes-security-model-to-bolster-extension-protection/article/434599/ > > Due to these kinds of attacks, I expect browser extensions to be slowly > phased out precisely due to their lack of a meaningful security/privacy > boundary. If one wants to replace or violate SOP, one should be aware of > how it could be abused. > > cheers, > harry > > > > > Regards, > > -Hadi > > P.S. Though I don¹t agree with all Mr. Rundgren¹s assertions, but have > > also seen some vile attacks/responses against him, which I think are > > unwarranted. D.S. > > > > \------------------------------------- > > Hadi Nahari, Chief Security Architect > > NVIDIA, +1.408.562.7916 > > --------------------------------------\ > > Dubito ergo mihi licet esse > > > > > > > > > ----------------------------------------------------------------------------------- > > This email message is for the sole use of the intended recipient(s) and > may contain > > confidential information. Any unauthorized review, use, disclosure or > distribution > > is prohibited. If you are not the intended recipient, please contact > the sender by > > reply email and destroy all copies of the original message. > > > ----------------------------------------------------------------------------------- > > > > > >
Received on Wednesday, 23 September 2015 18:22:11 UTC