- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Tue, 7 Jun 2016 17:42:20 +0000
- To: Dirk Balfanz <balfanz@google.com>
- CC: "public-webauthn@w3.org" <public-webauthn@w3.org>
On 6/6/16, 9:45 PM, "Dirk Balfanz" <balfanz@google.com> wrote: >[...] In fact, FIDO historically > draws the line even more conservatively than the rest of the web does >(not even considering DRM). Let me give you an example of that: when we >first introduced app IDs and facets, it was technically possible for two >origins, let's say >google.com <http://google.com> and youtube.com <http://youtube.com>, to >collaborate and access the same key on an authenticator (something that >could come in quite handy for those two origins, as you can imagine). >Note that absent app IDs and FIDO, any two origins on the web, if they >choose to collaborate, can already track a user and agree on a common >identifier (by iframing each other, run federation protocols, etc). FIDO >at that point decided that we didn't want to introduce an *additional* >channel for different origins to track users; so we changed the app id >spec to no longer make it possible for exampleA.com and exampleB.com to >have access to the same keys from an authenticator. I do not think this is actually a correct example because we specified that particular aspect of the appid-and-facet spec -- i.e., not making exampleA.com and exampleB.com equivalent -- in order to not violate the Web's crucial, well-established "cookie same origin policy" [1], which does have both security and privacy connotations, but we (at least I and Brad) were focusing on the security aspects. Effectively, the appid-and-facet approach /adheres/ to the cookie same origin policy. [1] http://identitymeme.org/http-cookie-processing-algorithm-etlds/ HTH, =JeffH >
Received on Tuesday, 7 June 2016 17:42:53 UTC