W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Thu, 24 Sep 2015 11:57:20 -0400
Message-ID: <56041D60.30107@digitalbazaar.com>
To: Harry Halpin <hhalpin@w3.org>
CC: public-web-security@w3.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 09/24/2015 01:07 AM, Harry Halpin wrote:
> On 09/23/2015 11:56 PM, Dave Longley wrote:
>> As this has degenerated into what I consider flaming, I've removed
>> others from the CC list and I don't plan on responding further.
>>
>> On 09/23/2015 09:12 PM, Harry Halpin wrote:
>>> TL;DR
>>>
>>> As its pretty clear we're just rehashing known problems with
>>> violating same origin policy and basic crypto key management
>>> issues, I will now turn my spam filter back on :)
>> I do agree we're getting no where, but for different reasons.
>> Accusing someone of positions they don't hold and then telling them
>> any response will be considered spam isn't a discussion. No wonder
>> the motivations of others are unclear to you.
>
> I apologize if I've misconstrued your position from specs you've
> written, code you've written, or blog posts.

Thank you, apology accepted.

Also, as always, we do plan on updating our specs as time permits.
Unfortunately, there's typically a lot going on ... all the time.

Please keep in mind the "credentials-retrospective" post you referenced
is a draft. Perhaps we should add a section on differentiating
technologies from how they are spec'd at the protocol level (as I'm sure
you know, OAuth 2.0 removed signatures from the spec, with much
controversy and fallout [1][2]) vs. how they are used or could be used
and augmented in practice. The same treatment should be applied to all
specs and feedback is welcome.

1.
http://hueniverse.com/2010/09/15/oauth-2-0-without-signatures-is-bad-for-the-web/
2. http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com
Received on Thursday, 24 September 2015 15:57:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC