W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 23 Sep 2015 21:12:52 -0400
Message-ID: <56034E14.7010803@w3.org>
To: Dave Longley <dlongley@digitalbazaar.com>, Jeffrey Yasskin <jyasskin@google.com>
CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
TL;DR

As its pretty clear we're just rehashing known problems with violating
same origin policy and basic crypto key management issues, I will now
turn my spam filter back on :) However, action was necessitated as I
have had complaints from various members and non-members (including
members of the Bitcoin community) over excessive emails both on-list and
off-list from WebID+TLS Community Group members, Credentials Community
Group, and Anders - and even harassment of W3C Team members via Skype
and Facebook asking for "support" of these specs. At least personally
I've had to block members of the WebID and Credentials CG on popular
social media sites due to the level of spam and due to abuse remove one
member from a Working Group. Strangely, this really seems motivated by
about a dozen people with emotional attachment to certain specs, not a
huge upsurge of grassroots support from end-users.

What tends to matter in a spec is user and industry adoption, and these
cannot be bypassed via asking W3C Team members to push a particular
non-mature spec or forcing compatibility with such non-mature specs in
widely deployed standards such as those produced by WebAppSec and the
WebCrypto WG.

On 09/23/2015 07:46 PM, Dave Longley wrote:
> On 09/23/2015 06:43 PM, Harry Halpin wrote:
>> On 09/23/2015 03:18 PM, Jeffrey Yasskin wrote:
>>> On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley 
>>> <dlongley@digitalbazaar.com> wrote:
>>>> On 09/23/2015 09:57 AM, Harry Halpin wrote:
>>>>> On 09/23/2015 03:42 AM, Anders Rundgren wrote:
>>>>>> In my opinion the #1 problem with this discussion is that
>>>>>> when you mention things that doesn't match the SOP vision
>>>>>> like the fact that Android-, Apple-, and Samsung-Pay doesn't
>>>>>> work on the Web, dead silence is all you get.
>>>>> Since the same origin policy is the primary meaningful security
>>>>> boundary on the Web, I expect for most people interested in
>>>>> security and privacy that emails that dismiss SOP are generally
>>>>> put in the spam folder.
>>>>>
>>>>> I do understand some people are interested in creating, for
>>>>> example, 'unique identifier' across all websites such as in the
>>>>> form of a X.509 certificate. These sort of  totalitarian
>>>>> identity scheme...
>>>> "dismissing"? "totalitarian"? These words have meanings that
>>>> don't seem to line up with their usage here, but their
>>>> connotations do yield negative visceral reactions. Is the goal
>>>> discord or understanding?
>>>>
>>>> I've really only been following this thread from the sidelines,
>>>> but who has dismissed SOP? Who has shown interest in creating a
>>>> 'unique identifier' across all websites? Are you referencing a
>>>> different discussion?
>>> He might be referring to 
>>> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ,
>>>
>>>
> which expresses a goal to "allow[] you to use one certificate to
>>> authenticate to all servers".
>> In particular, I'm also referring to WebID+TLS [1], which Dave
>> Longley and Manu Sporny implemented [2] and used to support.
> So when you were referring to someone dismissing SOP and creating a
> 'unique identifier' across all websites you meant to include me? These
> are not positions I support. We clearly have a misunderstanding.
>
>> While I am glad the RDF/Linked Data community has noticed security
>> and privacy
> Please try to use a more respective tone. It would be best to avoid
> divisive tribal rhetoric; it is unhelpful.
Of course I agree. However, the RDF community from whose fringes the
WebID+TLS and Credentials Community Group came is a distinct community
which is either wilfully ignoring existing work or simply does not
understand it.  It would also be helpful if the Credentials Community
Group and WebID+TLS Community Group simply referred to and used other
specs from Working Groups. For example, the "Linked Data Signatures"
spec that was pushed by Manu [1] ignored the fact that an already
perfectly good JSON signature spec with wide implementation and
deployment at the IETF known as JSON Web Signatures [2]. Instead, that
spec basically creates its own canonicalization scheme unique for RDF
(ignoring the hard-won lessons of how difficult canonicalization schemes
are from the W3C XML-DSIG WG). The motivations are at best unclear but
perhaps result from a 'not invented here' syndrome. The W3C in general
does not try to simply replicate the work of the IETF, instead
preferring to work together.

[1] https://web-payments.org/specs/source/ld-signatures/
[2] https://tools.ietf.org/html/rfc7515

>
>> Enabling the user to use a private/public key pair over the Web, but
>> in process losing what privacy the user has by associating them with
>> a public key or certificate that acts as a 'supercookie' across
>> origins is *not* a good idea.
> I agree. We shouldn't be creating something that acts like a 'supercookie'

Note that a public key that is exposed as an identity mechanism via the
browser across origin boundaries is, in effect, a super-cookie.
>
>> Despite a lack of vendor and user support or even interest, a small 
>> group of people from these Community Groups sends endless emails to 
>> various Working Groups, such as the Web Application Security Working 
>> Group and Web Cryptography Working Group, pushing the TAG, and so on
>> to get their design based on "one key per user" inserted into the
>> Web.
> What exactly is a "one key per user" design? I don't believe that I or
> the Credentials CG is pushing that and I'm not aware of anyone from the
> Credentials CG that sends "endless emails to various Working Groups..."
> to convince them of such a thing on behalf of the Credentials CG. If
> there is such a member that fits your description, they don't represent
> the goals of the group.

The "one key per user" design is where, via a simple transposition of
something like an existing national eID scheme to the Web,  one imagines
that users have access to a single key that they use to sign all
transactions and 'identify' themselves across the Web. Such a scheme is
obviously a (rather likely with the best of intentions) "totalitarian"
vision of a global identity system for the Web. This is clearly at the
heart of the WebID+TLS spec and seems also to be the motivation of
Identity Credentials, ignoring hard issues of privacy, pseudonyms, 
possible compromise, revocation, key rotation, tracking, anonymity, etc.
Other specs that have vendor support, such as FIDO, do not attempt to
push a single identity scheme into an authentication mechanism and
respect the same origin policy. I imagine whatever comes out of any new
hardware-based security Working Group will also have to take these
issues on board.

>
> To borrow from Brad Hill, some of the narrative above is frankly,
> cartoonish. We ought to all try to move away from the tarpit of
> conspiracy theories and guessing other people's motivations and instead
> focus on use cases, technology, and a way forward.
>

I strongly support the goals of more user-control over identity, better
authentication, and decentralization. I sympathize with emotional
attachment to particular specs, and the disappointment that is felt when
'specs' one has worked on long and hard are not implemented or taken up
in industry or users. But I'd like to note that the schemes *that
violate same origin policy* from the WebID+TLS and Credentials CG 
should be taken back to the drawing board. To repeat my last email,
which you cut off:

"Instead, *inside the respective Community Group* the use-case should be
properly defined, the burden of proof of showing existing standards does
not fulfil their use-case should be made, and basic security/privacy
best practices should be followed, along with re-use of existing
standards from the IETF and W3C and adequate review from the wider
experts. When a level of reasonable maturity is reached, then it could
be proposed to the the IG for broader review and then, if sensible, to
the W3C as a possible chartered Working Group. That would be a more
productive path forward than the current situation with both WebID+TLS,
the Credentials Community Group, and whatever sort of 'standard' Anders
wants to propose."

   cheers,
         harry
 
Received on Thursday, 24 September 2015 01:12:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC