On Monday 14 September 2015 8:43:20 Tony Arcieri wrote:
> > Coming on with the SOP as a drop dead argument against hardware security
>
> SOP doesn't work with PKCS#11-style APIs. FIDO shows what's possible with
> hardware tokens that respect the SOP, though.
Obviously, because they all define their own scope. If you set one scope
absolute (e.g. SOP), the other doesn't fit. This isn't exactly magic. The
profound mistake is to believe that SOP is the only security on the web. I can
well imagine privacy+identity-management+security of transactions instead of
origins. This reduces greatly my trust exposure. It is just a totally
different way. And of course it can't apply globalalliance 1/1 as I imagine
the definition of scope is not compatible, right. But SOP is also the wrong
knife to cut that bread. Because the security here is not defined by the SOP,
but by your identity provider that crosses some origins. Otherwise it wouldn't
work.
--Rigo