Re: A Somewhat Critical View of SOP (Same Origin Policy) from Rigo Wenning on 2015-09-29 (public-web-security@w3.org from September 2015)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 29 Sep 2015 09:36:18 +0200
To: Harry Halpin <hhalpin@w3.org>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Brad Hill <hillbrad@gmail.com>, Dave Longley <dlongley@digitalbazaar.com>, public-web-security@w3.org
Message-ID: <2984416.J63QCYvKJq@hegel>

Harry, 

On Monday 28 September 2015 20:21:48 Harry Halpin wrote:
> Again, there is no reason why SOP can't work with zero-knowledge proofs,
> URIs as human-centric identifiers, etc. You simply have to scope the
> authentication mechanism on a per origin basis (again, a very good thing
> for privacy) and then use explicit permissions. This can be done via
> FIDO+OAuth based solutions, and I see no reason why particular
> authenticators (including smartcards, eID systems, etc.) can't do it
> with other authentication and authorization flows.

This seems to be a nice summary of what Anders is trying to tell us for some 
weeks now. And if you add a scope (I would also be worried by unscoped tokens 
that can be replayed), the scope can be SOP or something even more 
restrictive. For the moment, there is no way to express that. So just putting 
an API that lets me talk to EMV is something Brad and Alex have rightly 
criticised. But the current HASEC suggestion isn't proposing such an over 
simplistic approach either. 

 --Rigo

Received on Tuesday, 29 September 2015 07:36:37 UTC