RE: Diversity and Inclusiveness in the IETF

Larry Masinter <> Wed, 24 February 2021 06:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD1933A006A; Tue, 23 Feb 2021 22:08:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id THBYsxzEM8TP; Tue, 23 Feb 2021 22:07:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79E5C3A0045; Tue, 23 Feb 2021 22:07:59 -0800 (PST)
Received: by with SMTP id 17so548484pli.10; Tue, 23 Feb 2021 22:07:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=sender:from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-language:thread-index; bh=qgUPjmOhW7VIcGJGzalTg+OrDHhdIVM3zhsW8EhB+xA=; b=AII174Yb+BZhN3SoFmNscV7yLKqqwHsul1GW19a/2B3ALzXH6NhULVlWrxNlpt3+P1 JBD8bE+lo/eMPmZdl2Y5kPxfnhLKfi3KG8LNV3FS+y5vlwiCyK5FC0ZkOKOhbZj8TY11 DCIbOKI6qYsIi0d6CUNdi2ENrtE0u4PObg9v30DgHir746Roa8N9DDJ2soUeUrBInHsW VBBZbPy3pu9Hc+RDACOpXRRlQSizxcoMT9gPpiUHhwnU0+D9sxdrzvhkULZ4mQEkf/w3 DbJzhhDBCr6PE9gY4I2DkEN9Bo2MjoOYaRG/NdtepVeyVUatZp+rRyz90kAissBk8cNU D5pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:sender:from:to:cc:references:in-reply-to:subject :date:message-id:mime-version:content-language:thread-index; bh=qgUPjmOhW7VIcGJGzalTg+OrDHhdIVM3zhsW8EhB+xA=; b=WjO98EmCQLZdaYax6j9zCsjjfMGrv+1cCaqhzHDC2621sYM/fMVzwVpDTdmAF181km kZ4+Y4gmFkJvV8viZ8bXTiTYzRBZD/7rNWfk1fQZcLzYRre9gsQ8xddPVe7y07NgGr43 8xKBx0D9hgJh8VcJKHJ33D4yO/rl2ZpLdsWDGdjABALskCu2LJI8SSyoysDh4QBKU10i 3glh1O+QHudeVBU97aa+8jnz4yBTPkdj5xfm5k1hp5hdj0hi6YumAf1QYiKgK9YB3QCK 82P14gXPcWHXjqyouP4dABBFLl+ColkLq9xVWCUBZTrW4vKNeCzWXWwDQ6SztyJDe6XW ickw==
X-Gm-Message-State: AOAM530a30Tcx73a9kWAyNPCsRrwK2UmPqlKD4MYFxL6GCpcWigtjroC oyyWt9kWQAp30BIgn6j35DlqcPqEvlA=
X-Google-Smtp-Source: ABdhPJwq8LI8dNL2UXr2NA5CKG9NqRosXGgGJa6vdiCNuAAah8nbCYARb0ldVQHxCm/0ij/p2RaDCg==
X-Received: by 2002:a17:90a:67ca:: with SMTP id g10mr2864720pjm.28.1614146878269; Tue, 23 Feb 2021 22:07:58 -0800 (PST)
Received: from TVPC ( []) by with ESMTPSA id gk14sm7114037pjb.2.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Feb 2021 22:07:57 -0800 (PST)
Sender: Larry Masinter <>
From: Larry Masinter <>
X-Google-Original-From: "Larry Masinter" <>
To: "'Phillip Hallam-Baker'" <>, "'Kathleen Moriarty'" <>
Cc: <>, <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Subject: RE: Diversity and Inclusiveness in the IETF
Date: Tue, 23 Feb 2021 22:07:56 -0800
Message-ID: <00b901d70a73$65f830c0$31e89240$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BA_01D70A30.57D5B410"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQLT1bdL7pqR2nvaftdkRCfHM2U8nwKGphCgAunXFDgBYaMquwHMl9O4AQMkYBcC8YDuIQGf13e1Axl8PAen4tIfQA==
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 06:08:02 -0000

Cogent argument that brings to focus on the  Subject:  topic what seemed like a “side” conversation about friendliness of the OAUTH wg. 



From: ietf <> On Behalf Of Phillip Hallam-Baker
Sent: Tuesday, February 23, 2021 9:47 PM
To: Kathleen Moriarty <>
Subject: Re: Diversity and Inclusiveness in the IETF


I am worried by the advice 'use OAUTH' but for a very different reason.


OAUTH and SAML are both attempts to provide a secure authentication scheme that works within the very particular and very peculiar environment of Web browsers. They are schemes that necessarily involve techniques that are rightly regarded as alchemy if not outright witchcraft.


That is fine, that is more than fine if you are developing an authentication scheme for use within Web browsers (or if you are developing whatever SAML and OAUTH are these days, neither was originally billed as authentication). But it is completely inappropriate to ever suggest let alone demand that anyone use a technology whose primary design constraint is to work around the voodoo of Javascript, URIs, HTTP cookies etc. etc. in an application where none of those legacy issues apply.


One of the big problems of IETF is that a lot of people don't think about how to get their scheme deployed and when they do, their plan is to tie it to some other group as a boat anchor. Back when we were doing DKIM and SPF we had to tell certain DNS folk that the fact that almost no DNS Registrars offered customers the ability to specify new RRTypes was their problem and was going to remain their problem no matter how loudly they tried to complain that it should become our problem. 


In the case of OAUTH, there is another problem in that OAUTH really isn't a very open protocol from the standpoint of the user. I can use my Google or my Facebook or my Twitter accounts to log in via OAUTH at a large number of sites. But if I want to use any other OAUTH provider I am completely out of luck. Or at least I will be until this becomes one of the multifaceted complaints in the anti-trust hearings coming soon to a capitol hill near you. And yes, that is a consequence of how the protocol has been deployed, but that probably not going to get people very far on capitol hill.



The Internet is for everyone. The Internet is for end users.


I am really not that interested in who makes the ingredients except to the extent that it determines what sort of cake emerges. One of the unexpected side effects of Web 2.0 has been that it has greatly centralized power in the hands of a tiny number of individuals. Individuals who are at best accountable to shareholders, but in the case of some of them, a separate share class ensures that they are accountable to nobody. In neither case are the people with power accountable to end users because they are not even customers, they are the product.


What I am interested in is the extent to which Internet technologies are Technologies of Freedom. The question we need to ask ourselves is 'does this technology increase end user autonomy or increase their reliance on third parties'.