W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 16 Sep 2015 11:21:49 +0200
To: Tony Arcieri <bascule@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <2431025.Le2I3mq1Ni@hegel>
On Tuesday 15 September 2015 13:14:49 Tony Arcieri wrote:
> Speaking as someone who attended WebCrypto Next Steps, the common theme to
> me was actually a fundamental incompatibility between PKCS#11 APIs and how
> web browsers operate. Many talks alluded to some sort of "bridge" or
> "gateway" or "missing puzzle piece" to connect the Web to PKCS#11 hardware
> tokens. Unfortunately there were no concrete proposals from either a
> technical or UX perspective. It was mostly a dream from all of the vendors,
> realized in slightly different vague handwavy visions, of how someone could
> swoop in and magically solve this problem for everyone. Clearly dreams
> without actual technical proposals didn't go anywhere.

I wasn't there. What is the fundamental incompatibility? Has someone written 
that down? Pointer? And why PKCS#11? There are other proposals to deal with 
hardware-security. Are they incompatible too?

We should also note that the SOP argument is not an answer to the underlying 
identity management question. And having some account with some of the big 
estates on the web is no valid answer here. I think part of the issue is that 
we try to connect offline identity management with online identity management. 
There, SOP is just no argument. What is the relation between SOP and my 
identity? Unless, like Tantek always suggests, I use my own site to define my 
identity and use origin and identity as the same thing. I think it will be a 
much reduced world if identity is reduced to origins. 

And again, that we can't take unscoped tokens and assume they are trustworthy 
in any context is so obvious that this shouldn't be the point the 
argumentation is focusing on.

 --Rigo

Received on Wednesday, 16 September 2015 09:22:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC