W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Dave Raggett <dsr@w3.org>
Date: Fri, 25 Sep 2015 10:38:50 +0100
Cc: Martin Paljak <martin.paljak@ria.ee>, Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <75F6CEC1-A09C-4E80-A5CB-E551A0834708@w3.org>
To: Dave Longley <dlongley@digitalbazaar.com>

> On 24 Sep 2015, at 22:02, Dave Longley <dlongley@digitalbazaar.com> wrote:
> 
> We also need to be careful about the privacy implications here. To
> explain this I'm going to lay out some quick terminology for a
> user-centric system.
> 
> In the Credentials CG work, we have four main parties that are involved
> in a "credentials ecosystem". Here's a brief overview:
> 
> 1. Users - entities about which claims are made
> 2. Issuers - services that make claims
> 3. IdPs - services that aggregate claims on behalf of Users
> 4. Consumers - services that request and make use of claims
> 
> Now, regarding privacy, it would be ideal if a User could interact with
> Consumers without Issuers or IdPs being made aware of this fact. If
> information is going to be transferred "server-to-server", this property
> should be preserved.

A further desirable property would be that the identifiers used between the User and Consumer are short lived (i.e. session based), to minimise loss of privacy across sessions or across Consumers.


   Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>>
Received on Friday, 25 September 2015 09:39:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC