Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Keith Moore <moore@network-heretics.com> Mon, 01 March 2021 20:30 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9283A2277 for <ietf@ietfa.amsl.com>; Mon, 1 Mar 2021 12:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 132WzuXs4RwQ for <ietf@ietfa.amsl.com>; Mon, 1 Mar 2021 12:30:35 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9212F3A2275 for <ietf@ietf.org>; Mon, 1 Mar 2021 12:30:35 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 00C115C0127 for <ietf@ietf.org>; Mon, 1 Mar 2021 15:30:34 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 01 Mar 2021 15:30:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=69DVuT v6RoHK7VmrK0+4HqFtD5zUEHo/JyUw71pfG6I=; b=WMI9Mm5pSuBgFD3hIFEowH xDuhbqhBGQ9xReev/ddyzDttZkgo25XmdKrcB+PlgSM6XXEj5jdHFLbTFssc64ov XP5Wms9RqnmFHHgmuztxhvBu0boStvaif6ZjgzPxn/bHAnjpllx4HIGTomSTETTe GWuTSfzB/KdSS0Lwhcy6Sg93WEjJ9EYfAvyyQPRFw6i6n+Aeq0hIxrRcOUbIC4Iz o+MP0wgDlyOK8aqSgLSFhiBbtutP1GFa+1Y1GbyLEeq2ujvOHl81983nZbX3Xus1 E1uJ3KJL0YiYzk9KA+H1KlIbmiqnEGuFKoX29jUFu6hhmv1bmX0OJSSS09BsaMwQ ==
X-ME-Sender: <xms:6U49YCz6TC1HbQc4Q0nzWWLe-9cKZRhysWJUmsBdmOpzvG8Ins1YFA> <xme:6U49YLbJL3AHQ_MxlONNeVsV45-6gmriO8VyTJuoO8twQ0xzBKDtihL2thXrwbwet iMCzr7Ovjg0og>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrleekgddufeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepveefteduieegtd elvddvtddufeejjeffvdefteejieeulefgtdfggedtffektedunecukfhppedutdekrddv vddurddukedtrdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:6U49YDXAVn9uJNzOony72Y72IwJZIl6zx18rKsMYRDH-XoywAl8ViQ> <xmx:6U49YJi8tKVrtHCsPal2Rt3kaw102ruWyQx04AlU_BMJx49A5nV3gw> <xmx:6U49YBse9pKg2RnBi7LAa-U74wixd9ae6qkuleyMVLCROC3LDTr9oA> <xmx:6U49YIstl6ewm0nASK72yaxyBKwK5Hv5K--mKGEg4VKEXlJfFx6ZtA>
Received: from [192.168.1.90] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 5A6AB24005A for <ietf@ietf.org>; Mon, 1 Mar 2021 15:30:33 -0500 (EST)
Subject: Re: [OAUTH-WG] Assessing the negative effects of proposed standards
To: ietf@ietf.org
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <EF14E7AC-CA19-44EE-9EC6-D21A81ECA756@manicode.com> <1016085528.105908.1614610785506@appsuite-gw1.open-xchange.com> <305345e0-6901-30a4-8010-e0b174b12c2f@manicode.com> <AFFDAA4C-5354-4578-9D89-95D52DD945E0@independentid.com> <CAMm+LwharMP-YzNwhFdWq7t-+PQuaVxMrPZUAcB39Xseh42RUA@mail.gmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <d7812b29-9a9c-4c11-6996-fc0456cc1210@network-heretics.com>
Date: Mon, 1 Mar 2021 15:30:32 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwharMP-YzNwhFdWq7t-+PQuaVxMrPZUAcB39Xseh42RUA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------25252B559FF8E9DB66F61C0C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Tk4EoWhbcDopBefewndtEMNTjIE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 20:30:38 -0000

On 3/1/21 3:11 PM, Phillip Hallam-Baker wrote:

> Lets take a step back. There are two separate sets of concerns related 
> to 'privacy'
>
> 1) Disclosure of an identifier allows a service attack using that 
> identifier.
>
> 2) Linking separate uses of an identifier allows a profile to be 
> constructed of the individual that can be used against the interest of 
> the individual.

3) if it's already known that a service provider is routinely violating 
its users' privacy, why would anyone trust them to be an authentication 
service or identity provider for any service that they themselves did 
not operate?

(what I haven't tried to determine yet is whether HTTP cookies get 
exchanged during OAuth2 transactions... )

Keith