Building Real Internet Platforms

Mark Nottingham <> Wed, 24 February 2021 06:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DC1A3A100D; Tue, 23 Feb 2021 22:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=sHom5JrL; dkim=pass (2048-bit key) header.b=Ho4Ay5er
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pnZJTcDVL5By; Tue, 23 Feb 2021 22:01:30 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6A2093A100A; Tue, 23 Feb 2021 22:01:30 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 4F25E5C012B; Wed, 24 Feb 2021 01:01:29 -0500 (EST)
Received: from mailfrontend1 ([]) by compute2.internal (MEProxy); Wed, 24 Feb 2021 01:01:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=V d8oksM+26OsF8fRnRxftRGHa2OaJR45JMws8jN6Jtg=; b=sHom5JrL36bGhfNvi loBlubK7/ILrX34WI8ggfRdn1lNBYOPPIls97SoFOlbYl2O5GfOYLNDKZlDYT5qs KAybIfsm0M/8DxnzXQnxkkBlszjeyclntL+vCuXwh5Arz01vMPcJndiRefmvcCsX RTLUnaZBUWZAm6jk01sohcvt1AT/lWw1grYRBdwvONc+eatERYOoQ+IIYFnHYLgI qS4XtcsD8Gz1GkwHZrwX/E1OsBLWA4SzH4ibYirIlOcfrVEARwKdb3m6swi7fsXk z7BeonjLUK5XInB/k3V868agKcDWx/SUoODE/J/3LITqxOm1jWe0aLZC0RlSjP36 0nkFw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Vd8oksM+26OsF8fRnRxftRGHa2OaJR45JMws8jN6J tg=; b=Ho4Ay5er/8e1tFVGWkewDwVaFclEgBQm9AGnAMngxyhSZHmAYB/Hjuwdh JpIS5SvXErt2SQEmJWwFTap+IHREAX/UtlOUCtShkHciFYzuJzuAbGPfTlGkdKgZ ehTijD6WRIKTajK4UH4Sp/MdI1bI2Vqkrugo2xTKfwfc1itYK9zLFN7X+kKOUoKq KVQIFdRWSrrMDoO7nRnhfhO2kAp4WFI+nEDXGTS2EiknqFuCUhMo9CEd/MWqkXUy ymwWlkun84BYZDArwnDnyJX+jGT1z9ehROiIstSbneyVzDbXt7ieHLIE9RLOHwK2 dNtxS+LYN1rZIX0yY23CD6+xLWJ/w==
X-ME-Sender: <xms:tus1YA6CM4AHqXzzqMnOFD-cM-dkvDjcSBTaSkqOwSo5CAHm74P9yw> <xme:tus1YB4QpS0slylAHSG3NQrxxDyhHpONYacZj9qoeP4MQH3FabwG00_0FyqWkq1pf w8CBDZNfaZxVNPzgA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeeigdekiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvg hrnhepudejtddukeektddvjeevhffgudeuueffheeufedvleejudekheeuvedvieeihffh necuffhomhgrihhnpehmnhhothdrnhgvthdpvghttgdrihhnnecukfhppeduudelrdduje drudehkedrvdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:tus1YPcoy5Loj8RgtnlBMbRRNfCGGm0QuU6t0EnGTXluENVWzcJH8w> <xmx:tus1YFLH5UGLl3zXB35zmeCNu-4Fhas4S_gJQF-_zOxhJ6bLYqzx_Q> <xmx:tus1YEJOxZeeiGx97ZPh-q1wnX2IpM4aDAA2dINaNMWViyQkur_W9Q> <xmx:ues1YI0BpebuW6E-PZp3EVVrE7A2feFdx2CL2oUeL-olOcpF_Wn1_Q>
Received: from [] ( []) by (Postfix) with ESMTPA id DBBD724005A; Wed, 24 Feb 2021 01:01:25 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Subject: Building Real Internet Platforms
From: Mark Nottingham <>
In-Reply-To: <>
Date: Wed, 24 Feb 2021 17:01:22 +1100
Cc: "" <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Phillip Hallam-Baker <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Feb 2021 06:01:34 -0000

Just to +1 and add my bit: in my mind one of the fundamental flaws of the Web is that it is basically a platform construction toolkit, without any of the checks or balances we put into *real* internet platforms to assure that there isn't one chokepoint with all of the power. As a result, it's tilted heavily towards winner-take-all economists through accrual of network effects and data advantages.

We should not follow this pattern in IETF specifications, whether or not they're associated with the Web. OAUTH-as-deployed might be one good example, but WEBRTC is equally problematic in this regard. WEBTRANS smells like it's primarily going to benefit big platforms who want to control the entire end user experience (and have the resources to exploit it), and let's not even get started about WPACK.

Yes, federation is hard. Yes, standards are slow and not as able to respond. Yes, the commercial incentives for silo'd platforms to invest aren't present. However, there's a *huge* push by competition authorities and regulators to find remedies for the concentrations of power in these few hands, and in many minds interoperability standards -- enforced by legal instruments -- are a primary means of getting there. This is potentially game-changing, in terms of the work that's possible to ship here.

I wrote a bit more about this recently:


> On 24 Feb 2021, at 4:47 pm, Phillip Hallam-Baker <> wrote:
> I am worried by the advice 'use OAUTH' but for a very different reason.
> OAUTH and SAML are both attempts to provide a secure authentication scheme that works within the very particular and very peculiar environment of Web browsers. They are schemes that necessarily involve techniques that are rightly regarded as alchemy if not outright witchcraft.
> That is fine, that is more than fine if you are developing an authentication scheme for use within Web browsers (or if you are developing whatever SAML and OAUTH are these days, neither was originally billed as authentication). But it is completely inappropriate to ever suggest let alone demand that anyone use a technology whose primary design constraint is to work around the voodoo of Javascript, URIs, HTTP cookies etc. etc. in an application where none of those legacy issues apply.
> One of the big problems of IETF is that a lot of people don't think about how to get their scheme deployed and when they do, their plan is to tie it to some other group as a boat anchor. Back when we were doing DKIM and SPF we had to tell certain DNS folk that the fact that almost no DNS Registrars offered customers the ability to specify new RRTypes was their problem and was going to remain their problem no matter how loudly they tried to complain that it should become our problem. 
> In the case of OAUTH, there is another problem in that OAUTH really isn't a very open protocol from the standpoint of the user. I can use my Google or my Facebook or my Twitter accounts to log in via OAUTH at a large number of sites. But if I want to use any other OAUTH provider I am completely out of luck. Or at least I will be until this becomes one of the multifaceted complaints in the anti-trust hearings coming soon to a capitol hill near you. And yes, that is a consequence of how the protocol has been deployed, but that probably not going to get people very far on capitol hill.
> The Internet is for everyone. The Internet is for end users.
> I am really not that interested in who makes the ingredients except to the extent that it determines what sort of cake emerges. One of the unexpected side effects of Web 2.0 has been that it has greatly centralized power in the hands of a tiny number of individuals. Individuals who are at best accountable to shareholders, but in the case of some of them, a separate share class ensures that they are accountable to nobody. In neither case are the people with power accountable to end users because they are not even customers, they are the product.
> What I am interested in is the extent to which Internet technologies are Technologies of Freedom. The question we need to ask ourselves is 'does this technology increase end user autonomy or increase their reliance on third parties'.

Mark Nottingham