On Saturday 29 August 2015 12:23:30 Mike O'Neill wrote: > Yes, a single legal entity (like a company) can control several origins, and > a single origin can be controlled by many entities (via subdomains). The > SOP needs to be re-enforced by a Single Entity Policy, i.e. by secure > declaration of what legal entity manages a subdomain or domain (or set of > them) This is just calling for large entities being able to control mulit-site services. To require SOP being tied to the legal structure is not a solution. It looks compelling only on a first glance and evaporates when talking about groups of legal persons that are dependent. I'm rather with Anders here. I don't think the SOP argument has anything to do with the discussion about securing things by hardware. If SOP is the only possible scope in your head, we have a problem anyway, Houston... So I think Anders' message should serve to start the scoping discussion. P.ex. I do NOT want to scope something for the same origin, but for "this transaction". Coming on with the SOP as a drop dead argument against hardware security and TEE is doing the apples and oranges game. Saying an apple is not a good orange is not really helpful. --Rigo
Received on Monday, 14 September 2015 11:57:39 UTC