Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Jim Manico <> Mon, 01 March 2021 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A59893A1F24 for <>; Mon, 1 Mar 2021 08:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5NpOwUQp857Q for <>; Mon, 1 Mar 2021 08:32:04 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CE1A33A1EC0 for <>; Mon, 1 Mar 2021 08:32:04 -0800 (PST)
Received: by with SMTP id z190so17105341qka.9 for <>; Mon, 01 Mar 2021 08:32:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=L9tS5vrkt5kWTW3o4dUL8vSP0SqTZ8969AnhPhb/kaQ=; b=MxA492Ro7UvXFQJFr6clBfRmE9Sh107I4IibA2XvkDjIQgMTwsbDBSq74SSrG56IhC II2GvnJUCwQfHubUPPtjFn3CPNthPkjxmm93Rcz2d8Ahc4NZC81Wsz+nNwZWYs5X3c7R zjpILmdKem/P3MpekC8YjFjMFZ7MkoAyMRhsFnmJ8jRcTkzvpc1oPGJiQmpNCb1x+3D8 QLznZsERdtuXtLx+Kiwd8yC2FDRCke/sY0DtMgwI0SUmD/F1hZbGR6zPZsOOWtTXFqCI xQocCW6dqJW4o+uD4nQajfiJzQ6bRivDkx6yLTquqOt6ffSij0SID5bTyVLZRQt9byEO W1tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=L9tS5vrkt5kWTW3o4dUL8vSP0SqTZ8969AnhPhb/kaQ=; b=HEJYM3U0YkFKpc/RDQO8ZaO4LZsTKIQbAzhW5XugXl+79E6Qnl+eFnuJ6U0yk7BwnN RXLq5sobgawFa6kdiB9ATiPgyiSHiQLNOtKNQw6aj64NdeUYCGWlHbVAJEHJv0w8Zj2k eiGHFlxjfynyE/kIerBRk299iWo+89YSTCTrT3i0n7BdZwQrF1bpwYE2/+bOXn/nwyWy Nmj6Iq1H5D3rkTa9vrLr4Bu8Hfgl4TMU6IRsgnPYb/zwEC6wxr10bDSfEqt6EKKc/2mv +ISale9kr2OIcwG2BhNQWcKpjz80KP9BHsA6XUveFt6otiRL/Z6rg37rZjDVYNKFixCd PBkg==
X-Gm-Message-State: AOAM533mEv828cr9aVWBsWbOV3eeYThRtXMg5YIYvKK12c3i9DFweJLk sL6uZad4H5N8X6RyO/SAVfknfQ==
X-Google-Smtp-Source: ABdhPJyQsP6s18vnxCGOkvcGgz3mfmIfkEQKu1uvPcOEaobY2TlwBtTh9jFLFFD8d4PyRzIV+OD+mw==
X-Received: by 2002:a37:a44:: with SMTP id 65mr9236595qkk.479.1614616322683; Mon, 01 Mar 2021 08:32:02 -0800 (PST)
Received: from macbook-pro.lan ( []) by with ESMTPSA id g2sm12931821qkd.124.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Mar 2021 08:32:01 -0800 (PST)
To: Vittorio Bertola <>
Cc: IETF-Discussion Discussion <>,
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <> <>
From: Jim Manico <>
Subject: Re: [OAUTH-WG] Assessing the negative effects of proposed standards
Message-ID: <>
Date: Mon, 1 Mar 2021 11:32:00 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------15A23D3D7BB0DA45AAD0306B"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Mar 2021 16:32:07 -0000


I feel you are conflating OIDC with OAuth2. In delegation workflows, the 
AS/RS can be any company and the clients are approved registered 
clients. I use OAuth2 for many of my own consumer needs and there is an 
even distribution of use among many services. OAuth2 protects me. I no 
longer have to hand out my twitter credentials just because my 
conference website wants limited access to my twitter account. I can now 
give my conference website limited delagated access to my twitter 
account and cancel that relationship any time. For years I was forced to 
give up my banking credentials to services like Mint and that is no 
longer the case due to the OAuth2 financial extension (FAPI).

While OIDC is certainly centralizing identity to a few providers, a real 
problem, OAuth2 when used for delegation purposes does not have that 
same inherent risk.


- Jim Manico

On 3/1/21 9:59 AM, Vittorio Bertola wrote:
>> Il 01/03/2021 15:13 Jim Manico <> ha scritto:
>> How does OAuth harm privacy? 
> I think you are analyzing the matter at a different level.
> If you start from a situation in which everyone is managing their own 
> online identity and credentials, and end up in a situation in which a 
> set of very few big companies (essentially Google, Apple and Facebook) 
> are supplying and managing everyone's online credentials and logins, 
> then [the deployment of] OAuth[-based public identity systems] is 
> harming privacy.
> Centralization is an inherent privacy risk. If you securely and 
> privately deliver your personal information to parties that can 
> monetize, track and aggregate it at scale, then you are losing privacy.
> -- 
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
>  <>  
> Office @ Via Treviso 12, 10144 Torino, Italy

Jim Manico
Manicode Security