- From: Harry Halpin <hhalpin@w3.org>
- Date: Wed, 23 Sep 2015 18:43:23 -0400
- To: Jeffrey Yasskin <jyasskin@google.com>, Dave Longley <dlongley@digitalbazaar.com>
- CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 03:18 PM, Jeffrey Yasskin wrote: > On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley > <dlongley@digitalbazaar.com> wrote: >> On 09/23/2015 09:57 AM, Harry Halpin wrote: >>> On 09/23/2015 03:42 AM, Anders Rundgren wrote: >>>> In my opinion the #1 problem with this discussion is that when you >>>> mention >>>> things that doesn't match the SOP vision like the fact that Android-, >>>> Apple-, >>>> and Samsung-Pay doesn't work on the Web, dead silence is all you get. >>> >>> Since the same origin policy is the primary meaningful security boundary >>> on the Web, I expect for most people interested in security and privacy >>> that emails that dismiss SOP are generally put in the spam folder. >>> >>> I do understand some people are interested in creating, for example, >>> 'unique identifier' across all websites such as in the form of a X.509 >>> certificate. These sort of totalitarian identity scheme... >> >> "dismissing"? "totalitarian"? These words have meanings that don't seem to >> line up with their usage here, but their connotations do yield negative >> visceral reactions. Is the goal discord or understanding? >> >> I've really only been following this thread from the sidelines, but who has >> dismissed SOP? Who has shown interest in creating a 'unique identifier' >> across all websites? Are you referencing a different discussion? > He might be referring to > https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ, > which expresses a goal to "allow[] you to use one certificate to > authenticate to all servers". In particular, I'm also referring to WebID+TLS [1], which Dave Longley and Manu Sporny implemented [2] and used to support. It appears their WebID+TLS work has evolved into the "Identity Credentials" spec [3] and HTTP Signatures (that claims to be part of the "Web Payments work" although its clearly not part of the W3C work, but part of the Community Group) [4]. While I wholeheartedly support greater user control of identity, it seems both WebID+TLS and Credentials Community Group are based on a dependency on RDF, idiosyncratic uses of cryptography that has an implicit 'one key per person' model, and a lack of familiarity with existing and widely deployed IETF specifications in this area such as OAuth and JOSE but instead prefer to reference 'specs' from that only members of their Community Group have authored. While I am glad the RDF/Linked Data community has noticed security and privacy, it also seems like their general high-level design violates reasonable privacy and security constraints (indeed, SOP is the only boundary we have), and so should be redesigned using existing IETF Working Groups such as those of OAuth and JOSE, W3C work such as the WebCrypto API, and be compatible with SOP. Enabling the user to use a private/public key pair over the Web, but in process losing what privacy the user has by associating them with a public key or certificate that acts as a 'supercookie' across origins is *not* a good idea. Again, I've suggested basic mitigations such as per-origin key derivation etc., and FIDO's design here seems as good as we've got right now. Despite a lack of vendor and user support or even interest, a small group of people from these Community Groups sends endless emails to various Working Groups, such as the Web Application Security Working Group and Web Cryptography Working Group, pushing the TAG, and so on to get their design based on "one key per user" inserted into the Web. The origin of this idea seems to be some desire to transpose X.509 or (a misinterpretation) of GPG into the Web. It appears the long-term goal of these Community Group is that hoping simply adding 'W3C Rec' to their idea would somehow drive adoption. That is highly unlikely if all major vendors and experts agree it's a not-so-great idea in terms of security/privacy and there's little grassroots support, so whether or not it become a W3C Rec. or not would ultimately be irrelevant as it would only make the W3C lose credibility in terms of standardization. Although it may be considered useful educationally to those in these Community Groups to continually shop their specs across the W3C, this behavior should not be encouraged at W3C if we are to be a productive place to do work. Instead, *inside the respective Community Group* the use-case should be properly defined, the burden of proof of showing existing standards does not fulfil their use-case should be made, and basic security/privacy best practices should be followed, along with re-use of existing standards from the IETF and W3C and adequate review from the wider experts. When a level of reasonable maturity is reached, then it could be proposed to the the IG for broader review and then, if sensible, to the W3C as a possible chartered Working Group. That would be a more productive path forward than the current situation with both WebID+TLS, the Credentials Community Group, and whatever sort of 'standard' Anders wants to propose. cheers, harry [1] http://www.w3.org/2005/Incubator/webid/spec/tls/ [2] http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_7.pdf [3] http://opencreds.org/specs/source/identity-credentials/ [4] https://tools.ietf.org/html/draft-cavage-http-signatures-04 > > Jeffrey >
Received on Wednesday, 23 September 2015 22:43:27 UTC