Re: A Somewhat Critical View of SOP (Same Origin Policy) from Melvin Carvalho on 2015-09-29 (public-web-security@w3.org from September 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 29 Sep 2015 03:38:47 +0200
To: Dave Longley <dlongley@digitalbazaar.com>
Cc: Harry Halpin <hhalpin@w3.org>, Rigo Wenning <rigo@w3.org>, Brad Hill <hillbrad@gmail.com>, public-web-security@w3.org
Message-ID: <CAKaEYhKRtNyxD7MvXHSL8NR+7bvkCha210ec3pYnbkGNP-MgEg@mail.gmail.com>

On 29 September 2015 at 03:19, Dave Longley <dlongley@digitalbazaar.com>
wrote:

> On 09/28/2015 08:21 PM, Harry Halpin wrote:
> >
> > There is no disagreement on using URIs to name things (although URIs
> > clearly are not *actually* decentralized, as they rely on DNS and as
> > such ICANN).
>
> Just a quick note that URIs are just identifiers; they are only bound to
> particular networks via schemes, etc. Your statement is certainly true
> if we're talking about common HTTP(S) URIs. However, you could use other
> URIs for decentralized networks that don't have to rely on DNS, though
> sometimes they do as a bootstrapping mechanism.
>

Yes exactly.  URIs are, to all intents and purposes, decentralized.  You
can argue that specs themselves are a form of centralization, but I dont
think it adds anything to this conversation.

Each URI scheme will have it's own set of rules.  People using HTTP for
example should follow the rules of HTTP for identity, email should follow
the rules of the mailto: scheme, xmpp that scheme etc.  In this sense
arguing over how relatively decentralized URIs are, is as much a red
herring as arguing that the phonetic alphabet is a form of centralization.

What is of more practical use is to decide whether your system will use
primarily email style identifiers (then follow mailto:) or http style
identifiers (then use http:) or whether you use another system (say xmpp:)
then document this in your system so that others can work together with
you.  The URI system is certainly rich enough to cover all the systems
currently in use to generate a robust and reusable social graph, which can
form the basis of pretty much any identity based use case.

It's curious why we havent solved this in a general sense yet.  I would
guess that systems with robust social graphs (such as facebook) will over
time provide compelling demonstrations.

>
>
> >
> > I believe there is a disagreement in terms of accessing the *same*
> > identifiers from a browser *per user* across the Web. For example, in
> > using client certificates and other X.509 infrastructure (and
> > uniquely identifying government eID schemes) without adaptation to
> > SOP. You could imagine, for example, access different identifiers
> > (add in an origin to a key derivation function) or even ZKPs
> > (proofs-of-possession) per user for authentication.
>
> Here's a link to a previous brief discussion on ZKPs and credentials
> that may be of interest to readers of this thread:
>
> https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0015.html
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
>

Received on Tuesday, 29 September 2015 01:39:18 UTC