- From: Harry Halpin <hhalpin@w3.org>
- Date: Wed, 23 Sep 2015 09:57:56 -0400
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>
- CC: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 03:42 AM, Anders Rundgren wrote: > In my opinion the #1 problem with this discussion is that when you > mention > things that doesn't match the SOP vision like the fact that Android-, > Apple-, > and Samsung-Pay doesn't work on the Web, dead silence is all you get. Since the same origin policy is the primary meaningful security boundary on the Web, I expect for most people interested in security and privacy that emails that dismiss SOP are generally put in the spam folder. I do understand some people are interested in creating, for example, 'unique identifier' across all websites such as in the form of a X.509 certificate. These sort of totalitarian identity scheme (often based on broken crypto, such as <keygen>) will likely implemented across all browsers, as would any payment scheme that makes the same broken assumptions. Supporters of such positions seem to have a lack of understanding of the modern Web and/or basic cryptography and while to some extent basic education can be done on Web-related mailing lists, I doubt many people find it is a productive use of their time given the large amount of high quality online courses out there and relatively important work that has to be done in terms of Web standards. In particular, it is likely more productive for various non-SOP schemes to find a way to adopt to SOP in a principled manner and so maintain security and privacy properties. Payment schemes, identity schemes, and the rest should and can do this. cheers, harry > > -- Anders > >
Received on Wednesday, 23 September 2015 13:58:01 UTC