Re: A Somewhat Critical View of SOP (Same Origin Policy) from Rigo Wenning on 2015-09-17 (public-webappsec@w3.org from September 2015)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 17 Sep 2015 16:09:19 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Henry Story <henry.story@co-operating.systems>, Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, public-webappsec@w3.org
Message-ID: <80141371.nsr0gGeRaX@hegel>

Brad, 

point taken and going back to the desk to learn more about it to find out how 
to use the one in making the other happen. 

 --Rigo

On Thursday 17 September 2015 13:51:03 Brad Hill wrote:
> > 3/ Is FIDO excluding all other authentication and security tools
> > 
> > No. I believe there is a place for something else that is less dependent
> > on
> > large origins for their trust relation... --Rigo
> 
> Again, with respect, this fundamentally misunderstands what FIDO does.
> 
> FIDO works directly between end users and the sites they visit.  There is
> no third party dependency, let alone any relationship to "large origins"
> AKA "super-providers".
> 
> This is exactly the beauty of de-coupling strong authentication from
> Identity,  FIDO makes strong authentication instantly available to every
> web application at every scale, without having to establish *any* trust
> relationships with third parties.  The relationships between users and
> applications are unmediated.
> 
> How you exchange Identity or AuthZ assertions is an independent problem.
> Federation is one way (which happens to have a large installed base and
> history of successful deployment) but it's an orthogonal issue.  FIDO can
> work with this, but it can work as well with other technologies.  Whatever
> shortcomings you may think that federation systems as deployed today, they
> are not shortcomings of FIDO.
> 
> You can even do an Identity-entangled authentication with a client
> certificate, and then re-authenticate with FIDO over that secure channel.
> 
> FIDO is just strong authentication, sans identity.  So rather than trying
> to hang the sins (whatever they are) of Federated Identity around FIDO's
> neck, you might instead consider whether perhaps the fact that we've failed
> to deploy strong authentication successfully at scale for so many years has
> anything to do with the fact that so far we've always made it dependent on
> a grand vision of Identity.
> 
> Maybe we can do better by solving one hard problem at a time and using
> composable solutions.  To me, being able to make independent choices about
> the method and strength of my authentication, and whether and how I share
> information about my identity, seems to be much more respectful of the
> principle of User Choice than any entangled solution can ever be.
> 
> -Brad

Received on Thursday, 17 September 2015 14:09:34 UTC