W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: A Somewhat Critical View of SOP (Same Origin Policy)

From: Rigo Wenning <rigo@w3.org>
Date: Sat, 26 Sep 2015 12:33:39 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Dave Longley <dlongley@digitalbazaar.com>, Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Alex Russell <slightlyoff@google.com>, public-web-security@w3.org, Tony Arcieri <bascule@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <3967702.pRcGpGpzSb@hegel>
On Wednesday 23 September 2015 19:01:17 Brad Hill wrote:
> But here we are, in 2015, and Identity is still the White Whale of the Web.

This in itself is shows a really fundamental difference in the understanding 
of identity, its social functions and the expectations attached to it. 

BTW, in a project we implemented the chaum credentials for age verification 
and other anonymous credentials (with IBM, MS, SAP and others). People were 
interested. There were IPR issues in the way. And the believe of many web 
actors that knowing somebody's name, having a profile, having a "identity" 
equals "trust" needed for ecommerce. So "browser makers" were not interested 
because it wasn't a mainstream thought. Arguing Zeitgeist doesn't mean the 
Zeitgeist is right or that the Zeitgeist can't change. 

And only because the current browser makers believe that SOP is the only way 
to scope a credential or token doesn't mean it is really the only way. It just 
means that it is more difficult to get implementation if a viable solution is 
found. We had that for over 10 years with Microsoft pouting CSS, isn't it?

So arguing a dichotomy isn't helping IMHO.  But of course I hear your warnings 
about past mistakes and I still feel my own defeats in the EU electronic 
signature circus where I failed to convince others that their HIGH security 
requirements will not work with Web integration. What I want is a real 
discussion and not just the throwing of drop-dead-arguments. 

 --Rigo


Received on Saturday, 26 September 2015 10:33:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC