W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Albert Lunde <atlunde@panix.com>
Date: Fri, 25 Sep 2015 11:45:31 -0500
To: Dave Longley <dlongley@digitalbazaar.com>, Dave Raggett <dsr@w3.org>, Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Martin Paljak <martin.paljak@ria.ee>, public-web-security@w3.org
Message-ID: <56057A2B.9020202@panix.com>
On 9/25/2015 8:48 AM, Dave Longley wrote:
> I think it would be better to create short-lived bearer credentials in
> these situations. An Issuer can create one of these or an Issuer or
> trusted "anonymizer" service could convert a long-lived credential into
> one of these and then give it to the User.

There's a thread about short-term vs long-term identifiers running on 
the "MACE-Dir" list

["MACE-Dir] Identifiers in a federated world  Was: [InC] in what sense 
is attribute release a requirement?"

This is in the context of shibboleth and SAML2 which has the ability to 
create either anonymous sessions, per vendor ids, or release globally 
unique more-or-less-public attributes like e-mail or eduPersonPrincipalname.

The experience with service providers seems to be that they want 
long-lived identifiers to create user profiles.

This is often used with commercial vendors (like library resources) or 
virtual organizations spanning several institutions. But typically 
there's some prior relationship between the organizations if not with 
the individual.

     Albert Lunde  albert-lunde@northwestern.edu
                   atlunde@panix.com  (address for personal mail)
Received on Friday, 25 September 2015 16:45:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC