W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 29 Sep 2015 01:00:23 +0200
Message-ID: <CAKaEYhK9BBfy2QGOLm3Jrpk6K7YXm+8oWVLfoazEtaCYrh1aow@mail.gmail.com>
To: Rigo Wenning <rigo@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, Dave Longley <dlongley@digitalbazaar.com>, public-web-security@w3.org
On 26 September 2015 at 12:33, Rigo Wenning <rigo@w3.org> wrote:

> On Wednesday 23 September 2015 19:01:17 Brad Hill wrote:
> > But here we are, in 2015, and Identity is still the White Whale of the
> Web.
>
> This in itself is shows a really fundamental difference in the
> understanding
> of identity, its social functions and the expectations attached to it.
>

Having followed identity for 10 years, since Brad Fitzpatrick's pivotal
work on OpenID, I would say it has been very hard to make any progress at
all.  What has been described as "schoolboy politics" seems to hinder
progress in the consensus process.  Typically this consists of a world view
that cannot contemplate an inclusive approach and will actively work to
censor that conversation.  I have noticed that every time this topic has
made progress, someone will jump in and try and shut it down.  Most
recently this occurred in the social web WG but it has been consistent over
about a dozen efforts inside and outside the W3C.

The technicals are much easier than the politics, provides that there is a
willingness to follow existing web standards.  It simply boils down to
using URIs to name things.  Something we all agree in principle, but never
do in practice.  It still is the white whale of the web, I really hope it's
possible make more progress in the next 5 years than we have in the last.
The way to do that is to allow the conversation to happen and be tolerant
of other people's ideas.


>
> BTW, in a project we implemented the chaum credentials for age verification
> and other anonymous credentials (with IBM, MS, SAP and others). People were
> interested. There were IPR issues in the way. And the believe of many web
> actors that knowing somebody's name, having a profile, having a "identity"
> equals "trust" needed for ecommerce. So "browser makers" were not
> interested
> because it wasn't a mainstream thought. Arguing Zeitgeist doesn't mean the
> Zeitgeist is right or that the Zeitgeist can't change.
>
> And only because the current browser makers believe that SOP is the only
> way
> to scope a credential or token doesn't mean it is really the only way. It
> just
> means that it is more difficult to get implementation if a viable solution
> is
> found. We had that for over 10 years with Microsoft pouting CSS, isn't it?
>
> So arguing a dichotomy isn't helping IMHO.  But of course I hear your
> warnings
> about past mistakes and I still feel my own defeats in the EU electronic
> signature circus where I failed to convince others that their HIGH security
> requirements will not work with Web integration. What I want is a real
> discussion and not just the throwing of drop-dead-arguments.
>
>  --Rigo
>
>
Received on Monday, 28 September 2015 23:00:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC