- From: Harry Halpin <hhalpin@w3.org>
- Date: Wed, 23 Sep 2015 21:12:52 -0400
- To: Dave Longley <dlongley@digitalbazaar.com>, Jeffrey Yasskin <jyasskin@google.com>
- CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Rigo Wenning <rigo@w3.org>
- Message-ID: <56034E14.7010803@w3.org>
TL;DR As its pretty clear we're just rehashing known problems with violating same origin policy and basic crypto key management issues, I will now turn my spam filter back on :) However, action was necessitated as I have had complaints from various members and non-members (including members of the Bitcoin community) over excessive emails both on-list and off-list from WebID+TLS Community Group members, Credentials Community Group, and Anders - and even harassment of W3C Team members via Skype and Facebook asking for "support" of these specs. At least personally I've had to block members of the WebID and Credentials CG on popular social media sites due to the level of spam and due to abuse remove one member from a Working Group. Strangely, this really seems motivated by about a dozen people with emotional attachment to certain specs, not a huge upsurge of grassroots support from end-users. What tends to matter in a spec is user and industry adoption, and these cannot be bypassed via asking W3C Team members to push a particular non-mature spec or forcing compatibility with such non-mature specs in widely deployed standards such as those produced by WebAppSec and the WebCrypto WG. On 09/23/2015 07:46 PM, Dave Longley wrote: > On 09/23/2015 06:43 PM, Harry Halpin wrote: >> On 09/23/2015 03:18 PM, Jeffrey Yasskin wrote: >>> On Wed, Sep 23, 2015 at 9:04 AM, Dave Longley >>> <dlongley@digitalbazaar.com> wrote: >>>> On 09/23/2015 09:57 AM, Harry Halpin wrote: >>>>> On 09/23/2015 03:42 AM, Anders Rundgren wrote: >>>>>> In my opinion the #1 problem with this discussion is that >>>>>> when you mention things that doesn't match the SOP vision >>>>>> like the fact that Android-, Apple-, and Samsung-Pay doesn't >>>>>> work on the Web, dead silence is all you get. >>>>> Since the same origin policy is the primary meaningful security >>>>> boundary on the Web, I expect for most people interested in >>>>> security and privacy that emails that dismiss SOP are generally >>>>> put in the spam folder. >>>>> >>>>> I do understand some people are interested in creating, for >>>>> example, 'unique identifier' across all websites such as in the >>>>> form of a X.509 certificate. These sort of totalitarian >>>>> identity scheme... >>>> "dismissing"? "totalitarian"? These words have meanings that >>>> don't seem to line up with their usage here, but their >>>> connotations do yield negative visceral reactions. Is the goal >>>> discord or understanding? >>>> >>>> I've really only been following this thread from the sidelines, >>>> but who has dismissed SOP? Who has shown interest in creating a >>>> 'unique identifier' across all websites? Are you referencing a >>>> different discussion? >>> He might be referring to >>> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/JN-v2FEmBgAJ, >>> >>> > which expresses a goal to "allow[] you to use one certificate to >>> authenticate to all servers". >> In particular, I'm also referring to WebID+TLS [1], which Dave >> Longley and Manu Sporny implemented [2] and used to support. > So when you were referring to someone dismissing SOP and creating a > 'unique identifier' across all websites you meant to include me? These > are not positions I support. We clearly have a misunderstanding. > >> While I am glad the RDF/Linked Data community has noticed security >> and privacy > Please try to use a more respective tone. It would be best to avoid > divisive tribal rhetoric; it is unhelpful. Of course I agree. However, the RDF community from whose fringes the WebID+TLS and Credentials Community Group came is a distinct community which is either wilfully ignoring existing work or simply does not understand it. It would also be helpful if the Credentials Community Group and WebID+TLS Community Group simply referred to and used other specs from Working Groups. For example, the "Linked Data Signatures" spec that was pushed by Manu [1] ignored the fact that an already perfectly good JSON signature spec with wide implementation and deployment at the IETF known as JSON Web Signatures [2]. Instead, that spec basically creates its own canonicalization scheme unique for RDF (ignoring the hard-won lessons of how difficult canonicalization schemes are from the W3C XML-DSIG WG). The motivations are at best unclear but perhaps result from a 'not invented here' syndrome. The W3C in general does not try to simply replicate the work of the IETF, instead preferring to work together. [1] https://web-payments.org/specs/source/ld-signatures/ [2] https://tools.ietf.org/html/rfc7515 > >> Enabling the user to use a private/public key pair over the Web, but >> in process losing what privacy the user has by associating them with >> a public key or certificate that acts as a 'supercookie' across >> origins is *not* a good idea. > I agree. We shouldn't be creating something that acts like a 'supercookie' Note that a public key that is exposed as an identity mechanism via the browser across origin boundaries is, in effect, a super-cookie. > >> Despite a lack of vendor and user support or even interest, a small >> group of people from these Community Groups sends endless emails to >> various Working Groups, such as the Web Application Security Working >> Group and Web Cryptography Working Group, pushing the TAG, and so on >> to get their design based on "one key per user" inserted into the >> Web. > What exactly is a "one key per user" design? I don't believe that I or > the Credentials CG is pushing that and I'm not aware of anyone from the > Credentials CG that sends "endless emails to various Working Groups..." > to convince them of such a thing on behalf of the Credentials CG. If > there is such a member that fits your description, they don't represent > the goals of the group. The "one key per user" design is where, via a simple transposition of something like an existing national eID scheme to the Web, one imagines that users have access to a single key that they use to sign all transactions and 'identify' themselves across the Web. Such a scheme is obviously a (rather likely with the best of intentions) "totalitarian" vision of a global identity system for the Web. This is clearly at the heart of the WebID+TLS spec and seems also to be the motivation of Identity Credentials, ignoring hard issues of privacy, pseudonyms, possible compromise, revocation, key rotation, tracking, anonymity, etc. Other specs that have vendor support, such as FIDO, do not attempt to push a single identity scheme into an authentication mechanism and respect the same origin policy. I imagine whatever comes out of any new hardware-based security Working Group will also have to take these issues on board. > > To borrow from Brad Hill, some of the narrative above is frankly, > cartoonish. We ought to all try to move away from the tarpit of > conspiracy theories and guessing other people's motivations and instead > focus on use cases, technology, and a way forward. > I strongly support the goals of more user-control over identity, better authentication, and decentralization. I sympathize with emotional attachment to particular specs, and the disappointment that is felt when 'specs' one has worked on long and hard are not implemented or taken up in industry or users. But I'd like to note that the schemes *that violate same origin policy* from the WebID+TLS and Credentials CG should be taken back to the drawing board. To repeat my last email, which you cut off: "Instead, *inside the respective Community Group* the use-case should be properly defined, the burden of proof of showing existing standards does not fulfil their use-case should be made, and basic security/privacy best practices should be followed, along with re-use of existing standards from the IETF and W3C and adequate review from the wider experts. When a level of reasonable maturity is reached, then it could be proposed to the the IG for broader review and then, if sensible, to the W3C as a possible chartered Working Group. That would be a more productive path forward than the current situation with both WebID+TLS, the Credentials Community Group, and whatever sort of 'standard' Anders wants to propose." cheers, harry
Received on Thursday, 24 September 2015 01:12:58 UTC