W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 17 Sep 2015 14:47:55 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <1619685.ZcIzpJ3iDi@hegel>
Brad, 

On Wednesday 16 September 2015 17:13:38 Brad Hill wrote:
> I think FIDO can live alongside other approaches, but do think that FIDO is
> better because a lot of folks, myself included, spent a lot of time and
> effort designing it as a way of using public keys for strong authentication
> that emphasizes user choice, safety, and privacy, that aligns well with the
> rest of the security and privacy features of both the web and the most
> common mobile platforms, and which respects and works well with what we've
> learned about the architecture and operation of the web at a large scale
> over the last 25 years. I think that work deserves a fair assessment based
> on what it really is and does, so I'm mostly in this thread to correct
> misinformation and misapprehensions about it.

Thanks for the clarity. 

This doesn't sound super exclusive. Meaning we have the following questions 
(with my opinions):

1/ Is keygen so harmful that browsers should throw it out? 

As you may understand, I will not contradict my boss Timbl :)

2/ Is FIDO good? 

Yes, I hate passwords and I promote hoba 
http://tools.ietf.org/html/rfc7486

3/ Is FIDO excluding all other authentication and security tools 

No. I believe there is a place for something else that is less dependent on 
large origins for their trust relation and less limited on SOP. I think that 
the Web should not ignore e.g. the several eIdentity movements around the 
world. 

 --Rigo
Received on Thursday, 17 September 2015 12:48:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC