SOP is a technical Principle, which is trumped by the legal principle of User Control. I made this point in the thread to the TAG
and it fits the TAG finding on Unsactioned Tracking
Current browsers respect user control with regard to certificates - some better than others. It can be improved, but that can best be done through legal and political pressure.
If the user is asked if she wants to authenticate with a global ID to a web site, then that is her prerogative.
As long as she can select the identity she wishes to use, and change identity when she wants to, or become anonymous: she must be in control.
Privacy is actually improved in distributed yet connected services. By having distributed co-operating organisation each in control of their information, each can retain their autonomy. As an example it should be quite obvious the the police cannot share their files with those of the major social networks, nor would those have time to build the tools for the health industry, nor would those work for universities, etc. etc... The world is a sea of independent agencies that need to look after their own data, and share it with others when needed. In order to share the data, they need to give other agents access, they need to *control* access, which means you need some form of global identities that can be as weak as temporary pseudonyms, or stronger. In fact they can evolve out of pseudonyms into strong identifiers on which a reputation has built itself.
Of course anonymous or one site identities should be the basis of that and FIDO provides that, but not more.
On top of FIDO you can see OpenID, SAML and OAuth profiling themselves very clearly in the FIDO UAF Architectural Overview:
These global identities based on URIs won't go away in a Web that is a web of billions of organisations, individuals and things, connected and interconnected.
Here is the picture from the architectural UAF document mentioned above. (It fails to mention that in many cases after an OAuth or OpenID the Relying Party communicates with the Federation Party until recently called the identity provider.) So really FIDO is just setting a super strong cookie with some cryptographic properties which then more and more often needs to be bolted onto actual Identity Providers. All of this relies on server side cryptographic keys tied to TLS, so that the major parties are in effect using certificates for global authentication.
( They could have also have added WebID to the mix http://webid.info/
but that is anoyingly simple, which is why I like it :-)
Now WebID is not tied logically to TLS . We have some interesting prototypes that show how WebID could work with pure HTTP.
• Andrei Sambra's first sketch with
• Manu Sporny's more fully fleshed out HTTP Message signature
these two could be improved and merged.
This would allow a move to use strong identity in HTTP/2.0 ( SPDY ) , which could then be supported by the browsers who could build User Interfaces that give the users control of their identity with user interfaces described by your Credentials Management document developed here
Funnily enough one should already be able to try Andrei or Manu's protocol in the Browser with JS, WebCrypto, and ServiceWorkers . There are many things to explore here  and the technology is still very new. 
But this shows that WebCrypto actually allows one to do authentication across origins. ( And how could
it not, since it is a set of low level crypto primitives? ). A Single Page application from one site can publish
a public key and authenticate to any other site with that key.
So its a bit weird that SOP is invoked to remove functionality that puts the user in control in the browser,
and that WebCrypto is then touted simultaneously as the answer, when in fact WebCrypto allows Single Page Applications (SPA) to do authenticate across Origins, and do what the browser will no longer be able to do.
Lets make sure the browser can also have an identity. It's an application after all!
Let's stop using SOP as a way to shut down intelligent conversation. Let's think about user control as the aim.
 as it may seem from the TLS-spec which we developed first because it actually worked.
 which is why it is wrong to remove 15 year old <keygen> technology on which a lot of people depend
around the world as explained so well by Dirk Willem Van Gulik on the blink thread before a
that sweden has a huge number of people there, and that it might not be too good to get noticed by
states: Russia and the EU just this month started anti trust investigations against Google for example.