W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 23 Sep 2015 16:11:11 -0400
Message-ID: <5603075F.80605@digitalbazaar.com>
To: Brad Hill <hillbrad@gmail.com>, Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>
CC: public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 03:01 PM, Brad Hill wrote:
> I don't think anyone doubts your use cases or your cognitive
> ability. I doubt your understanding of history. People and
> organizations have been trying to do this kind of thing since Chaum's
> first patents on blind signatures in 1983.  Organizations as vast and
> powerful as Microsoft at the height of its monopoly power have
> invested hundreds of millions into trying to make it happen.

Two people can both be aware of past failures and draw two different
conclusions about the potential for future solutions. Maybe you reject
this assertion (ie: Identity on the Web is *unsolvable*), but I don't.

I certainly agree that it's a very hard problem, as I have stated
before. However, people will continue to try and act on the Web as they
do in society, whether or not we try to make it easier and more secure
for them to do so. People will continue to invent adhoc, less secure,
and less private mechanisms than a reasonably well-architected Web
standard might bring to achieve these goals. My point is
that you can't stop people from interacting with one another in the way
they want to and that society requires of them. It would be best if we
do what we can to help people do this in a standard way, and with as
much security and privacy as we can.

>
> The narrative I hear from the anti-SOP camp, that we've arrived at
> our current equilibrium solely because of the conspiratorial
> behavior of a few "super providers", and we can and should just tear
> it down and start over with the user / user agent in control to
> arrive at a completely different outcome is, frankly, cartoonish.

Please don't lump me in with anyone espousing those views. I'm not a
conspiracy theorist of any sort.

>
> You're trying to give user agents immense power and they're telling
> you that they _don't want it_ because they do understand the
> history. The "argument to SOP" is not that it's perfect or captures
> every use case, but more like the old joke about democracy - it's the
> worst system possible...except for all the others we've tried.

The use cases in question are unaddressed. That we have a SOP that
creates a powerful, meaningful security boundary for a whole set of
other use cases really has nothing to do with this. If the SOP can't be
applied to the use cases, then it can't be the worst possible system
(with caveat) for them. The worst possible system (with caveat) for
addressing the use cases must be some other system that we haven't
created yet. That's the system we need to build.

>
> There's really nothing different today in the fundamentals of how
> user agents work, the cryptographic techniques at our disposal, or
> the use cases of "I'm over 18" and "I'm a citizen" between now and
> 20 years ago. If you want to propose walking down that road again,
> the obligation is on you to be very convincing about what have you
> learned from that history that nobody else did about how do to it
> differently this time.

I agree that it's on us to be convincing. We've been compiling arguments
and doing write ups around the lessons learned in this space in the W3C
Credentials Community Group. Another possible lesson to learn from
history: there have been many problems that were very hard for a very
long time... and then they got solved. We should try to solve problems
not because they're easy, but because they're hard.

We value the input from folks like yourself who have worked on and
continue to work on hard problems.


-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com
Received on Wednesday, 23 September 2015 20:11:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC