W3C home > Mailing lists > Public > public-web-security@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Mon, 28 Sep 2015 21:19:51 -0400
To: Harry Halpin <hhalpin@w3.org>, Melvin Carvalho <melvincarvalho@gmail.com>, Rigo Wenning <rigo@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, public-web-security@w3.org
Message-ID: <5609E737.3080301@digitalbazaar.com>
On 09/28/2015 08:21 PM, Harry Halpin wrote:
> There is no disagreement on using URIs to name things (although URIs 
> clearly are not *actually* decentralized, as they rely on DNS and as 
> such ICANN).

Just a quick note that URIs are just identifiers; they are only bound to
particular networks via schemes, etc. Your statement is certainly true
if we're talking about common HTTP(S) URIs. However, you could use other
URIs for decentralized networks that don't have to rely on DNS, though
sometimes they do as a bootstrapping mechanism.

> I believe there is a disagreement in terms of accessing the *same*
> identifiers from a browser *per user* across the Web. For example, in
> using client certificates and other X.509 infrastructure (and
> uniquely identifying government eID schemes) without adaptation to 
> SOP. You could imagine, for example, access different identifiers
> (add in an origin to a key derivation function) or even ZKPs 
> (proofs-of-possession) per user for authentication.

Here's a link to a previous brief discussion on ZKPs and credentials
that may be of interest to readers of this thread:


Dave Longley
Digital Bazaar, Inc.
Received on Tuesday, 29 September 2015 01:20:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:38 UTC