Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Christian Huitema <> Fri, 26 February 2021 20:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D7DF13A1670 for <>; Fri, 26 Feb 2021 12:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id froH0w7V3lTt for <>; Fri, 26 Feb 2021 12:11:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0AB6D3A166D for <>; Fri, 26 Feb 2021 12:11:38 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.92) (envelope-from <>) id 1lFjSW-0013b0-R7 for; Fri, 26 Feb 2021 21:11:36 +0100
Received: from (unknown []) by (Postfix) with ESMTPS id 4DnLQV3gMMz1kVp for <>; Fri, 26 Feb 2021 12:11:30 -0800 (PST)
Received: from [] ( by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <>) id 1lFjSU-0001EK-Ce for; Fri, 26 Feb 2021 12:11:30 -0800
Received: (qmail 23270 invoked from network); 26 Feb 2021 20:11:29 -0000
Received: from unknown (HELO []) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 26 Feb 2021 20:11:29 -0000
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
To: Tim Bray <>, Justin Richer <>
Cc: =?UTF-8?Q?Se=c3=a1n_Kelleher?= <>, Phillip Hallam-Baker <>, "" <>, IETF-Discussion Discussion <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Christian Huitema <>
Message-ID: <>
Date: Fri, 26 Feb 2021 12:11:27 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------48E3803F2B4E0F219BF5EDD8"
Content-Language: en-US
Authentication-Results:; auth=pass smtp.auth=
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.14)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT8uEaMc9v2z//gxoDgwFDrHPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x9j7219Tb9QoiGKb6esGsuKj/EwzSHE5FGYwwjsNRPCKqA rBduNrqcbM/qOGMheJXmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaF72OcLi5sd8B4EwxAXygZhQ6V51u76v35b1wNe/MvdL/hXir I7jpLA3NtNK1rbkD2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NlkBmbR1LS6Kx8w5MHqDEE+X44XCqk6hHUnsihdlKleCK GcT6vImG8EhE3HPYweDpDRojSVizNl0ce/s7u0P9b7Oijoc3SCZfWp1RjkjWCw/vIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfL2IksHjQw9IJIMozNAWjF1UoFIvD3sIcP1fhJPM6B/8AF4m sx9lVfg9pw4CtkIpgWBA8uIWBTaxiXLo2fDhOGCJ+dym1L8cD17Js0v4cp1MEassBFoAoof3UFhZ NAoFDDcKVNeVJ9BXyu9+ceCqThTYg2px1fSoqxQCCHnLMo/m9VKh99btUAanjnMCAH2co+fBoeG+ Hs0afhsY/5zhNYWRVYKU9W9tbmVXJBqdHHDmZEKhyNAv1N35kYWaEdgLurFV5oTvAcwA4rM3FkfW 8/1kE/e7sUnsVpINvARNxpFO
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 20:11:41 -0000

On 2/26/2021 8:31 AM, Tim Bray wrote:

> On Fri, Feb 26, 2021 at 8:10 AM Justin Richer < 
> <>> wrote:
>     Right, it’s possible to patch OAuth to do this, but the whole
>     “registration equals trust” mindset is baked into OAuth at a
>     really core level. That’s one of the main reasons there’s been
>     hesitance at deploying dynamic registration. It’s an extension
>     that changes your trust model’s assumptions, and does so in a way
>     that is challenging for a lot of large scale providers.
> Justin is correct but being extremely diplomatic. “There’s been 
> hesitance”, as he puts it, translates in practice to some lawyer or VP 
> saying “You want to accept auth assertions for business transactions 
> from unknown parties?  I have no interest in jail time, so forget it.”

Tim's point is very important. It shows a tension between "blindly 
accepting authentication claims from unknown parties", which would 
indeed lead to adversarial business consequences, and "only accepting 
authentication claims from parties that have been marked as trusted by 
my organization", which in theory looks safe but in practice drives 
concentration. If the trust decision is delegated to each site, we have 
the recipe for a network effect, in which only a very small set of big 
organizations can provide authentication for everybody, and collect the 
corresponding data and statistics.

This is both a very hard problem and an urgent problem. An IETF working 
group works on a hard issue and produces an incomplete solution. Big 
companies can fill the gaps by providing their own value. The result is 
further concentration of the Internet.

Such problems are very hard, but they are not impossible to solve. Look 
for example at PKI and its supporting infrastructure like the CAB Forum. 
It is not perfect, but at least it had the property of allowing web 
sites to use HTTPS without routing all authentication transactions 
through third parties. Wouldn't it be nice if we had a federation system 
on top of OAUTH? I suppose that is difficult. Not a reason to not try...

-- Christian Huitema