W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 23 Sep 2015 18:43:23 -0400
Message-ID: <56032B0B.4040306@w3.org>
To: Jeffrey Yasskin <jyasskin@google.com>, Dave Longley <dlongley@digitalbazaar.com>
CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
On 09/23/2015 03:18 PM, Jeffrey Yasskin wrote:
> On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley
> <dlongley@digitalbazaar.com> wrote:
>> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>>> In my opinion the #1 problem with this discussion is that when you
>>>> mention
>>>> things that doesn't match the SOP vision like the fact that Android-,
>>>> Apple-,
>>>> and Samsung-Pay doesn't work on the Web, dead silence is all you get.
>>>
>>> Since the same origin policy is the primary meaningful security boundary
>>> on the Web, I expect for most people interested in security and privacy
>>> that emails that dismiss SOP are generally put in the spam folder.
>>>
>>> I do understand some people are interested in creating, for example,
>>> 'unique identifier' across all websites such as in the form of a X.509
>>> certificate. These sort of  totalitarian identity scheme...
>>
>> "dismissing"? "totalitarian"? These words have meanings that don't seem to
>> line up with their usage here, but their connotations do yield negative
>> visceral reactions. Is the goal discord or understanding?
>>
>> I've really only been following this thread from the sidelines, but who has
>> dismissed SOP? Who has shown interest in creating a 'unique identifier'
>> across all websites? Are you referencing a different discussion?
> He might be referring to
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ,
> which expresses a goal to "allow[] you to use one certificate to
> authenticate to all servers".

In particular, I'm also referring to WebID+TLS [1], which Dave Longley
and Manu Sporny implemented [2] and used to support. It appears their
WebID+TLS work has evolved into the "Identity Credentials" spec [3] and
HTTP Signatures (that claims to be part of the "Web Payments work" 
although its clearly not part of the W3C work, but part of the Community
Group) [4].

While I wholeheartedly support greater user control of identity, it
seems both WebID+TLS and Credentials Community Group are based on a
dependency on RDF, idiosyncratic uses of cryptography that has an
implicit 'one key per person' model, and a lack of familiarity with
existing and widely deployed IETF specifications in this area such as
OAuth and JOSE but instead prefer to reference 'specs' from that only
members of their Community Group have authored. While I am glad the
RDF/Linked Data community has noticed security and privacy, it also
seems like their general high-level design violates reasonable privacy
and security constraints (indeed, SOP is the only boundary we have), and
so should be redesigned using existing IETF Working Groups such as those
of OAuth and JOSE, W3C work such as the WebCrypto API, and be compatible
with SOP.

Enabling the user to use a private/public key pair over the Web, but in
process losing what privacy the user has by associating them with a
public key or certificate that acts as a 'supercookie' across origins is
*not* a good idea. Again, I've suggested basic mitigations such as
per-origin key derivation etc., and FIDO's design here seems as good as
we've got right now.

Despite a lack of vendor and user support or even interest, a small
group of people from these Community Groups sends endless emails to
various Working Groups, such as the Web Application Security Working
Group and Web Cryptography Working Group, pushing the TAG, and so on to
get their design based on "one key per user" inserted into the Web. The
origin of this idea seems to be some desire to transpose X.509 or (a
misinterpretation) of GPG into the Web.

It appears the long-term goal of these Community Group is that hoping
simply adding 'W3C Rec' to their idea would somehow drive adoption. That
is highly unlikely if all major vendors and experts agree it's a
not-so-great idea in terms of security/privacy and there's little
grassroots support, so whether or not it become a W3C Rec. or not would
ultimately be irrelevant as it would only make the W3C lose credibility
in terms of standardization. Although it may be considered useful
educationally to those in these Community Groups to continually shop
their specs across the W3C, this behavior should not be encouraged at
W3C if we are to be a productive place to do work.

Instead, *inside the respective Community Group*  the use-case should be
properly defined, the burden of proof of showing existing standards does
not fulfil their use-case should be made, and basic security/privacy
best practices should be followed, along with re-use of existing
standards from the IETF and W3C and adequate review from the wider
experts. When a level of reasonable maturity is reached, then it could
be proposed to the the IG for broader review and then, if sensible, to
the W3C as a possible chartered Working Group. That would be a more
productive path forward than the current situation with both WebID+TLS,
the Credentials Community Group, and whatever sort of 'standard' Anders
wants to propose.

                          cheers,
                                   harry

[1] http://www.w3.org/2005/Incubator/webid/spec/tls/
[2] http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_7.pdf
[3] http://opencreds.org/specs/source/identity-credentials/
[4] https://tools.ietf.org/html/draft-cavage-http-signatures-04
>
> Jeffrey
>
Received on Wednesday, 23 September 2015 22:43:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC