Re: Diversity and Inclusiveness in the IETF

Phillip Hallam-Baker <> Wed, 24 February 2021 15:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD2753A16F1 for <>; Wed, 24 Feb 2021 07:18:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ClhyrmwKB-S for <>; Wed, 24 Feb 2021 07:18:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 055093A16EF for <>; Wed, 24 Feb 2021 07:18:30 -0800 (PST)
Received: by with SMTP id p193so2193228yba.4 for <>; Wed, 24 Feb 2021 07:18:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NUsne36C3DXZBIrAtWWZ7s4dbNnJvntM4EkVGMwIsa0=; b=H7xY5w6l/JyTQnu6XnIWc6IhNfuYUHFKd1cirG+RcA7mqFgYeNDXz1g/lKQ3+yikC3 dTsfSzKR3+NPNI5sFuEuMpkL/8RVX0AhiyImQOeGslUarQoccuvlzC/Txckn5kssDinZ aryFQajEoadaS4W4E4lskk3/o1DR+IFh0gIMaDl6WannYWbzQxMyjLK0z7E3WK4f4X7S utaJBzIetFshXYbgMoWEiTHruI/AaP04uuj58i8UsyAsTvAkTp3j5fQjWQ9HOwX5Sig9 UwhHoytqMFQLTQZdrIVUH2DLBWPZ1HGdpAZltfwSWTla/dmBFMAPgsu3PkrXyc5BsFft vR3g==
X-Gm-Message-State: AOAM533WDZobaEFO/KTbOhQ+XARvU7ng6Kdd9m2YMHlRF/S3xNkRc0Gx 4NPpgoEBg0vH1YJzBBq8/3ko/pfHy+kmbDmEobw=
X-Google-Smtp-Source: ABdhPJxwf3ekkkJDcprt3njFKwEsck6c8n6Rfq8KA9lNRo1S9WVKbkQIrqB4D0+sJ/qXAh/miiA1mASGUSSdDRvVu6c=
X-Received: by 2002:a25:50d8:: with SMTP id e207mr46750683ybb.56.1614179909989; Wed, 24 Feb 2021 07:18:29 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Wed, 24 Feb 2021 10:18:17 -0500
Message-ID: <>
Subject: Re: Diversity and Inclusiveness in the IETF
To: Hannes Tschofenig <>
Cc: Keith Moore <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000237bfa05bc168cc7"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 15:18:33 -0000

On Wed, Feb 24, 2021 at 2:35 AM Hannes Tschofenig <>

> Hi Keith, Hi Phil,
> I am trying to level up a bit here and not focus on OAuth or SAML.
> When someone suggests you to use a certain technology then there is
> typically an entire context that comes with the question that led to this
> recommendation. Since we don’t know the context, it is hard to say whether
> the recommendation is reasonable.
> I think we can all agree that there are many aspects involved of making a
> technology choice. Some of those choices are business related, with the
> availability of software and with the familiarity of the concepts by those
> using the technology.
> What I also see happening again and again is that people confuse protocols
> with the deployment of protocols. Phil does this below too. Just because
> Facebook, Google & Co decide to use OAuth in some specific way does not
> mean that OAuth cannot be deployed by others in a completely different way.

I am not confused, I merely don't accept that the distinction is a useful
one. I know what HTTP and HTML were supposed to be. I also know what they
have become and that there is no way to go back.

The fact that a technology has become one of the factors in reinforcing a
duopoly position is far more relevant to the question of whether a group
should be told that they must use it than ANY aspect of the
technology itself. Yes, OAUTH is capable of supporting a different
ecosystem to the one that it has established. But when an application is
built on OAUTH, they don't get to change the ecosystem.

It is the same in PKI. There is absolutely nothing stopping anyone from
implementing the PGP Web of Trust in X.509. Mark Shuttleworth actually got
pretty far in doing just that. But nobody is ever going to be able to use
that system because there are simply too many assumptions about how the
formats are used built into the deployed infrastructure.

Unfortunately, I don’t see how any of this relates to the diversity
> discussion. I would therefore suggest to move this discussion to the OAuth
> group. There are so many aspects in Phil’s email that require
> clarifications...

If you noticed, I had actually broadened the issue of folk insisting on
their technology being used to include the SPF/DKIM experience which was
quite different.

What I think some of the grownups need to start thinking about is just what
is going to be happening over the next five to ten years as various
politicians decide to wield anti-trust against what they are now calling
big tech. The ostrich strategy that has worked so far is not likely to work
for very much longer.

Google and Facebook in particular would be well advised to start sending
lawyers to all the standards meetings in which they participate. Or at the
very least the ones that are being attended by lawyers who work for the FTC
and EU anti-trust divisions.