Re: A Somewhat Critical View of SOP (Same Origin Policy) from Rigo Wenning on 2015-09-16 (public-webappsec@w3.org from September 2015)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 16 Sep 2015 11:39:29 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <110956317.ZzOuzq54F3@hegel>

Brad, 

On Tuesday 15 September 2015 22:42:17 Brad Hill wrote:
> FIDO is not "like a cookie".  Cookies are about session and state
> management.  FIDO replaces passwords or certificates to provide strong
> authentication

[...]
> 
> <keygen> entangles being identified with being authenticated, 

are you telling me that FIDO is good strong authentication and keygen bad 
strong authentication? How, in this case, would use cases that Tim mentioned 
being done with FIDO? Out of the box?

Is keygen the same as any other connection to the offline ID token world?

 --Rigo

P.S. If you're authenticated you can do serverside stateful service, so all 
authentication is like a cookie :) But some cookie is not authentication.

Received on Wednesday, 16 September 2015 09:39:41 UTC