Re: A Somewhat Critical View of SOP (Same Origin Policy) from Brad Hill on 2015-09-17 (public-webappsec@w3.org from September 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 17 Sep 2015 13:51:03 +0000
To: Rigo Wenning <rigo@w3.org>
Cc: Henry Story <henry.story@co-operating.systems>, Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <CAEeYn8jWOH0stqFzPHb3z-6m98z8+SpUcXpkROHymC+af+RFQw@mail.gmail.com>

>
>
> 3/ Is FIDO excluding all other authentication and security tools
>
> No. I believe there is a place for something else that is less dependent on
> large origins for their trust relation... --Rigo


Again, with respect, this fundamentally misunderstands what FIDO does.

FIDO works directly between end users and the sites they visit.  There is
no third party dependency, let alone any relationship to "large origins"
AKA "super-providers".

This is exactly the beauty of de-coupling strong authentication from
Identity,  FIDO makes strong authentication instantly available to every
web application at every scale, without having to establish *any* trust
relationships with third parties.  The relationships between users and
applications are unmediated.

How you exchange Identity or AuthZ assertions is an independent problem.
Federation is one way (which happens to have a large installed base and
history of successful deployment) but it's an orthogonal issue.  FIDO can
work with this, but it can work as well with other technologies.  Whatever
shortcomings you may think that federation systems as deployed today, they
are not shortcomings of FIDO.

You can even do an Identity-entangled authentication with a client
certificate, and then re-authenticate with FIDO over that secure channel.

FIDO is just strong authentication, sans identity.  So rather than trying
to hang the sins (whatever they are) of Federated Identity around FIDO's
neck, you might instead consider whether perhaps the fact that we've failed
to deploy strong authentication successfully at scale for so many years has
anything to do with the fact that so far we've always made it dependent on
a grand vision of Identity.

Maybe we can do better by solving one hard problem at a time and using
composable solutions.  To me, being able to make independent choices about
the method and strength of my authentication, and whether and how I share
information about my identity, seems to be much more respectful of the
principle of User Choice than any entangled solution can ever be.

-Brad

Received on Thursday, 17 September 2015 13:51:42 UTC