Re: Diversity and Inclusiveness in the IETF

Keith Moore <> Wed, 24 February 2021 07:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BF8D3A0CEE for <>; Tue, 23 Feb 2021 23:22:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gWkkqxNDoQH0 for <>; Tue, 23 Feb 2021 23:22:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6D773A0CED for <>; Tue, 23 Feb 2021 23:22:20 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id CC123C2E for <>; Wed, 24 Feb 2021 02:22:19 -0500 (EST)
Received: from mailfrontend1 ([]) by compute3.internal (MEProxy); Wed, 24 Feb 2021 02:22:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Y0daGC jkSq5LmEccfkYvWKzgHmsmV21yAniIrFuIueM=; b=XWcTrWuaoAkujkQPJJ/JPa L+Hqo487Fuo0r0yhGPPudJoyQm6fFzTrgZnjaSbk5TjCvbYF8vCu1WJWC5LnuubO 3eFhX3O30uFrXEHWO1P9MAzSi3j2dGfuV6Qb2xnysbYs8mDcwXhu3EWUOb+NJpV9 O1BvWie8XOFJEXw9dltBxOi2LfogqVH0RkDCiaaudiX1VVCGgOzPxrANOZI1SD5L EPC6ugZxZVUgsKiKBRXFX9Xbz1rKCxDprac645nEkJnSpkgA7+VWbyCKii1BiqHw ovQaFyw64UQDT6kDNnrS3qhA7n6StKIrcePzor3Q5MaubZh29mY0tkoBDWAM5c2A ==
X-ME-Sender: <xms:q_41YD2bfmyd-yhRpnkcNiYcUppWa_rrqYEHpqI3ojc30DJKf6cyeg> <xme:q_41YCEDkzvzrV55RmYsog3JqEwnbrX8J2I9TNwQmCTO1zZ4byrEw4tU3lceN11gy rx-nIJkj8M5ew>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeeigddutddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgesrgdtre ertdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepkefgvddvtdelud dtfeejkefffeeiudehfeetieduvdduvdetueegkeevueehteejnecuffhomhgrihhnpegv thgtrdhinhenucfkphepuddtkedrvddvuddrudektddrudehnecuvehluhhsthgvrhfuih iivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdq hhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:q_41YD5TNOpjHwKYT1yG6_Ji198r5vo9nO1SkRtkObaOpJ0kP4Zegw> <xmx:q_41YI2RHIHHZBDElTOwBLTtwjQAXIkSDxR-wYss80T_u0-oGNwJxA> <xmx:q_41YGFrLlQq8lznxePplByKC8oKakofuQvwuIzN6PJuy9YxCIsOag> <xmx:q_41YCGoUceWJXhIb4HzJH3Uv8RYS5tKpyQcAqauXlroJYakK0PPpA>
Received: from [] ( []) by (Postfix) with ESMTPA id C887E24005C for <>; Wed, 24 Feb 2021 02:22:18 -0500 (EST)
Subject: Re: Diversity and Inclusiveness in the IETF
References: <> <> <> <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Wed, 24 Feb 2021 02:22:17 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------9ED91FEEABF397BF0BF7B490"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 07:22:23 -0000


- Keith

On 2/24/21 12:47 AM, Phillip Hallam-Baker wrote:
> I am worried by the advice 'use OAUTH' but for a very different reason.
> OAUTH and SAML are both attempts to provide a secure authentication 
> scheme that works within the very particular and very peculiar 
> environment of Web browsers. They are schemes that necessarily involve 
> techniques that are rightly regarded as alchemy if not outright 
> witchcraft.
> That is fine, that is more than fine if you are developing an 
> authentication scheme for use within Web browsers (or if you are 
> developing whatever SAML and OAUTH are these days, neither was 
> originally billed as authentication). But it is completely 
> inappropriate to ever suggest let alone demand that anyone use a 
> technology whose primary design constraint is to work around the 
> voodoo of Javascript, URIs, HTTP cookies etc. etc. in an application 
> where none of those legacy issues apply.
> One of the big problems of IETF is that a lot of people don't think 
> about how to get their scheme deployed and when they do, their plan is 
> to tie it to some other group as a boat anchor. Back when we were 
> doing DKIM and SPF we had to tell certain DNS folk that the fact that 
> almost no DNS Registrars offered customers the ability to specify new 
> RRTypes was their problem and was going to remain their problem no 
> matter how loudly they tried to complain that it should become our 
> problem.
> In the case of OAUTH, there is another problem in that OAUTH really 
> isn't a very open protocol from the standpoint of the user. I can use 
> my Google or my Facebook or my Twitter accounts to log in via OAUTH at 
> a large number of sites. But if I want to use any other OAUTH provider 
> I am completely out of luck. Or at least I will be until this becomes 
> one of the multifaceted complaints in the anti-trust hearings coming 
> soon to a capitol hill near you. And yes, that is a consequence of how 
> the protocol has been deployed, but that probably not going to get 
> people very far on capitol hill.
> The Internet is for everyone. The Internet is for end users.
> I am really not that interested in who makes the ingredients except to 
> the extent that it determines what sort of cake emerges. One of the 
> unexpected side effects of Web 2.0 has been that it has greatly 
> centralized power in the hands of a tiny number of individuals. 
> Individuals who are at best accountable to shareholders, but in the 
> case of some of them, a separate share class ensures that they are 
> accountable to nobody. In neither case are the people with power 
> accountable to end users because they are not even customers, they are 
> the product.
> What I am interested in is the extent to which Internet technologies 
> are Technologies of Freedom. The question we need to ask ourselves is 
> 'does this technology increase end user autonomy or increase their 
> reliance on third parties'.