W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 23 Sep 2015 19:46:58 -0400
To: Harry Halpin <hhalpin@w3.org>, Jeffrey Yasskin <jyasskin@google.com>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
Message-ID: <560339F2.8070101@digitalbazaar.com>
On 09/23/2015 06:43 PM, Harry Halpin wrote:
> On 09/23/2015 03:18 PM, Jeffrey Yasskin wrote:
>> On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley 
>> <dlongley@digitalbazaar.com> wrote:
>>> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>>>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>>>> In my opinion the #1 problem with this discussion is that
>>>>> when you mention things that doesn't match the SOP vision
>>>>> like the fact that Android-, Apple-, and Samsung-Pay doesn't
>>>>> work on the Web, dead silence is all you get.
>>>> Since the same origin policy is the primary meaningful security
>>>> boundary on the Web, I expect for most people interested in
>>>> security and privacy that emails that dismiss SOP are generally
>>>> put in the spam folder.
>>>> I do understand some people are interested in creating, for
>>>> example, 'unique identifier' across all websites such as in the
>>>> form of a X.509 certificate. These sort of  totalitarian
>>>> identity scheme...
>>> "dismissing"? "totalitarian"? These words have meanings that
>>> don't seem to line up with their usage here, but their
>>> connotations do yield negative visceral reactions. Is the goal
>>> discord or understanding?
>>> I've really only been following this thread from the sidelines,
>>> but who has dismissed SOP? Who has shown interest in creating a
>>> 'unique identifier' across all websites? Are you referencing a
>>> different discussion?
>> He might be referring to 
>> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ,
which expresses a goal to "allow[] you to use one certificate to
>> authenticate to all servers".
> In particular, I'm also referring to WebID+TLS [1], which Dave
> Longley and Manu Sporny implemented [2] and used to support.

So when you were referring to someone dismissing SOP and creating a
'unique identifier' across all websites you meant to include me? These
are not positions I support. We clearly have a misunderstanding.

> While I am glad the RDF/Linked Data community has noticed security
> and privacy

Please try to use a more respective tone. It would be best to avoid
divisive tribal rhetoric; it is unhelpful.

> Enabling the user to use a private/public key pair over the Web, but
> in process losing what privacy the user has by associating them with
> a public key or certificate that acts as a 'supercookie' across
> origins is *not* a good idea.

I agree. We shouldn't be creating something that acts like a 'supercookie'.

> Despite a lack of vendor and user support or even interest, a small 
> group of people from these Community Groups sends endless emails to 
> various Working Groups, such as the Web Application Security Working 
> Group and Web Cryptography Working Group, pushing the TAG, and so on
> to get their design based on "one key per user" inserted into the
> Web.

What exactly is a "one key per user" design? I don't believe that I or
the Credentials CG is pushing that and I'm not aware of anyone from the
Credentials CG that sends "endless emails to various Working Groups..."
to convince them of such a thing on behalf of the Credentials CG. If
there is such a member that fits your description, they don't represent
the goals of the group.

To borrow from Brad Hill, some of the narrative above is frankly,
cartoonish. We ought to all try to move away from the tarpit of
conspiracy theories and guessing other people's motivations and instead
focus on use cases, technology, and a way forward.

Dave Longley
Digital Bazaar, Inc.
Received on Wednesday, 23 September 2015 23:47:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC