How to tell people... Was: We appear to still be litigating OAuth, oops

Phillip Hallam-Baker <> Fri, 26 February 2021 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A56B63A10D4; Fri, 26 Feb 2021 08:40:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y-MBs5F-sS8E; Fri, 26 Feb 2021 08:40:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDF8F3A10B8; Fri, 26 Feb 2021 08:40:54 -0800 (PST)
Received: by with SMTP id u75so9457646ybi.10; Fri, 26 Feb 2021 08:40:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uSzxVJ+FJ3QJccMSoZ3iB7bOtYBhYSMcb6oHY1OMYqA=; b=hWac3Rvm0ynV6WuXmOUbyO9hTC7gm41FEaMWqDyRd8oTE1yPO2jrciPypumWNftDZP 1omdLAhoNMYKx4v9b26IVpwzjVIT5wxWwjXGhhd9tj/OpjlYsd3ABypZP/bLhCStGvKP 5CGbXnKaXYAcCxa0nLAbArLK6RFQTn29cKMNwbZ3Syohgeebp0/8NN2DQxV61jIvvJrg s3CwpkyjeiT4G/yJ73ui61pxVAR8teW4kbGB1hSh3GBSV0AyYF4cqPi9E2Yd/y483JAH 7U+mUMTPLGWP5s43ed+cfvxAd1zrc2EwbZnKCDET/J3WH2zon2ML/9/lXNiYt7fn0Vw2 teiw==
X-Gm-Message-State: AOAM530HkvbHJiAiCNhWKX0c4MZzpzaa0B+i42B/mOimpg4gxbJCMX7Y JeIn52+U6ogtNBgI3yZIfE7+JkiVu1G7xS4+i+Zl0GCBuxM=
X-Google-Smtp-Source: ABdhPJwIPH0w2JpE64vRS4sFEO8xp8Tjn54zZG57NL9eM/PtfVvmvOexT6W5kST5jW0qtHfi9DqNzpjiml8eCCETlCg=
X-Received: by 2002:a25:aa6d:: with SMTP id s100mr5891863ybi.523.1614357653822; Fri, 26 Feb 2021 08:40:53 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Fri, 26 Feb 2021 11:40:43 -0500
Message-ID: <>
Subject: How to tell people... Was: We appear to still be litigating OAuth, oops
To: Bron Gondwana <>
Cc: Jim Manico <>, IETF Discussion Mailing List <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000007f217905bc3feed5"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 16:40:57 -0000

I spend rather too much time doing disinformation analysis these days. But
one of the issues that keeps coming up is what Sartre called a 'bad faith'
argument which is an unfortunate term in that people end up doing it
without being aware of it, no malice involved.

What Sartre was describing was an argument in which there are two separate
frames of reference used. The first frame is used to establish that X
applies, then once that is achieved the first frame is discarded and X is
interpreted in the second frame.

To take an example:

Frame 1: Tony Blair implemented many polices that are described in a paper
by Milton Friedman when the latter was shilling for a position in the
Democratic administration of Harry Truman: Blair is a 'neoliberal'.

Frame 2: Neoliberal Milton Friedman shilled for and was successful in
getting a consulting role in the Pinochet regime. Therefore neoliberals
support Pinochet. Therefore Blair supports Pinochet. Therefore Blair
supports the mass murder of 30,000 people.

I am seeing similar in the OAUTH discussion:

Frame 1: X must use OAUTH it is simple!

Frame 2: You have to understand how to apply OAUTH correctly. The
Turbo-encabulator mode is very powerful let me stroke my beard while you
come to that understanding.

And yes, folk are going to get upset about having their arguments presented
in this fashion but I really don't know how else to get through to them the
reasons why the people on the receiving end of those arguments are getting

There is a real problem in trying to get across unwelcome information. The
ground problem for many of us with OAUTH is that we simply cannot
understand it. And we rather suspect the problem isn't on our side. I have
come to find that not being able to understand things that exceed a certain
complexity is actually a profound advantage in architecture. The real value
of formal methods turns out to be they force people to reduce the problem
to something simple enough to write proofs about.

This is one of the reasons I would like to see the IETF move towards a W3C
style plenary in which WGs are required to provide short introductions to
what they do. No, not status reports: an elevator pitch. Because if nobody
in the group can describe what is going on with clarity, well perhaps they
don't know themselves.

it is really difficult to know what to do in these circumstances. I tell
people my criteria for adopting a technology early on. If they meet my
criteria, I will attempt to make use of their work product. But I feel
absolutely no obligation to do so if they don't.