- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Wed, 23 Sep 2015 12:18:50 -0700
- To: Dave Longley <dlongley@digitalbazaar.com>
- Cc: Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley <dlongley@digitalbazaar.com> wrote: > On 09/23/2015 09:57 AM, Harry Halpin wrote: >> >> On 09/23/2015 03:42 AM, Anders Rundgren wrote: >>> >>> In my opinion the #1 problem with this discussion is that when you >>> mention >>> things that doesn't match the SOP vision like the fact that Android-, >>> Apple-, >>> and Samsung-Pay doesn't work on the Web, dead silence is all you get. >> >> >> Since the same origin policy is the primary meaningful security boundary >> on the Web, I expect for most people interested in security and privacy >> that emails that dismiss SOP are generally put in the spam folder. >> >> I do understand some people are interested in creating, for example, >> 'unique identifier' across all websites such as in the form of a X.509 >> certificate. These sort of totalitarian identity scheme... > > > "dismissing"? "totalitarian"? These words have meanings that don't seem to > line up with their usage here, but their connotations do yield negative > visceral reactions. Is the goal discord or understanding? > > I've really only been following this thread from the sidelines, but who has > dismissed SOP? Who has shown interest in creating a 'unique identifier' > across all websites? Are you referencing a different discussion? He might be referring to https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ, which expresses a goal to "allow[] you to use one certificate to authenticate to all servers". Jeffrey
Received on Wednesday, 23 September 2015 19:19:40 UTC