Re: Diversity and Inclusiveness in the IETF

[Keith Moore <moore@network-heretics.com>]

This.

- Keith

On 2/24/21 12:47 AM, Phillip Hallam-Baker wrote:
> I am worried by the advice 'use OAUTH' but for a very different reason.
>
> OAUTH and SAML are both attempts to provide a secure authentication 
> scheme that works within the very particular and very peculiar 
> environment of Web browsers. They are schemes that necessarily involve 
> techniques that are rightly regarded as alchemy if not outright 
> witchcraft.
>
> That is fine, that is more than fine if you are developing an 
> authentication scheme for use within Web browsers (or if you are 
> developing whatever SAML and OAUTH are these days, neither was 
> originally billed as authentication). But it is completely 
> inappropriate to ever suggest let alone demand that anyone use a 
> technology whose primary design constraint is to work around the 
> voodoo of Javascript, URIs, HTTP cookies etc. etc. in an application 
> where none of those legacy issues apply.
>
> One of the big problems of IETF is that a lot of people don't think 
> about how to get their scheme deployed and when they do, their plan is 
> to tie it to some other group as a boat anchor. Back when we were 
> doing DKIM and SPF we had to tell certain DNS folk that the fact that 
> almost no DNS Registrars offered customers the ability to specify new 
> RRTypes was their problem and was going to remain their problem no 
> matter how loudly they tried to complain that it should become our 
> problem.
>
> In the case of OAUTH, there is another problem in that OAUTH really 
> isn't a very open protocol from the standpoint of the user. I can use 
> my Google or my Facebook or my Twitter accounts to log in via OAUTH at 
> a large number of sites. But if I want to use any other OAUTH provider 
> I am completely out of luck. Or at least I will be until this becomes 
> one of the multifaceted complaints in the anti-trust hearings coming 
> soon to a capitol hill near you. And yes, that is a consequence of how 
> the protocol has been deployed, but that probably not going to get 
> people very far on capitol hill.
>
>
> The Internet is for everyone. The Internet is for end users.
>
> I am really not that interested in who makes the ingredients except to 
> the extent that it determines what sort of cake emerges. One of the 
> unexpected side effects of Web 2.0 has been that it has greatly 
> centralized power in the hands of a tiny number of individuals. 
> Individuals who are at best accountable to shareholders, but in the 
> case of some of them, a separate share class ensures that they are 
> accountable to nobody. In neither case are the people with power 
> accountable to end users because they are not even customers, they are 
> the product.
>
> What I am interested in is the extent to which Internet technologies 
> are Technologies of Freedom. The question we need to ask ourselves is 
> 'does this technology increase end user autonomy or increase their 
> reliance on third parties'.
>