W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Harry Halpin <hhalpin@w3.org>
Date: Thu, 24 Sep 2015 01:07:07 -0400
Message-ID: <560384FB.6060101@w3.org>
To: Dave Longley <dlongley@digitalbazaar.com>
CC: public-web-security@w3.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 09/23/2015 11:56 PM, Dave Longley wrote:
> As this has degenerated into what I consider flaming, I've removed
> others from the CC list and I don't plan on responding further.
> On 09/23/2015 09:12 PM, Harry Halpin wrote:
>> TL;DR
>> As its pretty clear we're just rehashing known problems with 
>> violating same origin policy and basic crypto key management issues,
>>  I will now turn my spam filter back on :)
> I do agree we're getting no where, but for different reasons. Accusing
> someone of positions they don't hold and then telling them any response
> will be considered spam isn't a discussion. No wonder the motivations of
> others are unclear to you.

I apologize if I've misconstrued your position from specs you've
written, code you've written, or blog posts. If your views, or Manu's,
have changed then you should simply update your specs and write new blog

However, I see relatively recent posts like this:


In which it is noted that WebID+TLS is given higher 'ratings' than OAuth
2.0, and it is incorrectly notes that OAuth 2.0 is not used with digital
signatures or used for the transfer of verified credentials, when it is
used by almost all major sites. There are probably ways to simplify the
flow (as shown Eran's Oz) and all sorts of privacy improvements.

Thus, again, I recommend doing a good deal of background reading and
understanding of the work the IETF and others have done in this space
before re-inventing the wheel. The current work of the Credentials CG
would not pass any kind of security or privacy review, and so I don't
see why it or related work would justify getting rid of the Same Origin


>> However, action was necessitated as I have had complaints from 
>> various members and non-members (including members of the Bitcoin 
>> community) over excessive emails both on-list and off-list from 
>> WebID+TLS Community Group members, Credentials Community Group, and 
>> Anders - and even harassment of W3C Team members via Skype and 
>> Facebook asking for "support" of these specs. At least personally 
>> I've had to block members of the WebID and Credentials CG on popular 
>> social media sites due to the level of spam and due to abuse remove 
>> one member from a Working Group. Strangely, this really seems 
>> motivated by about a dozen people with emotional attachment to 
>> certain specs, not a huge upsurge of grassroots support from 
>> end-users.
> The implication that a member of the Credentials CG or the entire group
> is guilty, by association, of harassment is quite unbecoming. Did they
> also have mustaches? As you know, W3C Community Groups are freely open
> to all on the Internet.
Received on Thursday, 24 September 2015 05:07:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC