Re: A Somewhat Critical View of SOP (Same Origin Policy)

Brad, 

On Wednesday 16 September 2015 17:13:38 Brad Hill wrote:
> I think FIDO can live alongside other approaches, but do think that FIDO is
> better because a lot of folks, myself included, spent a lot of time and
> effort designing it as a way of using public keys for strong authentication
> that emphasizes user choice, safety, and privacy, that aligns well with the
> rest of the security and privacy features of both the web and the most
> common mobile platforms, and which respects and works well with what we've
> learned about the architecture and operation of the web at a large scale
> over the last 25 years. I think that work deserves a fair assessment based
> on what it really is and does, so I'm mostly in this thread to correct
> misinformation and misapprehensions about it.

Thanks for the clarity. 

This doesn't sound super exclusive. Meaning we have the following questions 
(with my opinions):

1/ Is keygen so harmful that browsers should throw it out? 

As you may understand, I will not contradict my boss Timbl :)

2/ Is FIDO good? 

Yes, I hate passwords and I promote hoba 
http://tools.ietf.org/html/rfc7486

3/ Is FIDO excluding all other authentication and security tools 

No. I believe there is a place for something else that is less dependent on 
large origins for their trust relation and less limited on SOP. I think that 
the Web should not ignore e.g. the several eIdentity movements around the 
world. 

 --Rigo

Received on Thursday, 17 September 2015 12:48:13 UTC