Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
Jim Willeke <jim@willeke.com> Wed, 24 February 2021 15:35 UTC
Return-Path: <jim@willeke.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC5A93A1723 for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 07:35:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=willeke.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9ZfjwDYh3ag for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 07:35:04 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEFBF3A1710 for <oauth@ietf.org>; Wed, 24 Feb 2021 07:34:47 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id v17so2849829ljj.9 for <oauth@ietf.org>; Wed, 24 Feb 2021 07:34:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willeke.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+t94oc+veDdddb/XX4zvX9KD9o4K5aXcME4/IfNmEY0=; b=DqSwZdrEt42fp2xquCNNJ1CUtf2cD82GZ4GnjVAbFJ2fyuU0pJx4q2HvaTurgv7H94 H2JWUUEpyrXBIYsahu9AK2eZSy0VrueUg2jO/jvwKY0IijxOnF2oSIJLyQU64Dzt/dCn Gufzcte0ClVzRuSKzKDXyn975bnjeIiEIVqwWmsYq5iomHR7iNjqlxOuXs9j9Jm3X5p9 OgROC6HWRcPy/F+aBOdPEn7ELYmBlxmeoD5aM4CS3brqRckdOhDbt/fFiUOYYLOUVXbK QLBVKqy5IEvsx1JU7oktH3ZWjA11EAcsW84aKvYutuN+k44j/KFPE7qIK1KBpUDcjCqw Tbpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+t94oc+veDdddb/XX4zvX9KD9o4K5aXcME4/IfNmEY0=; b=nqqHBDmLfeVXxCoEJ+Yv3DLlCdjcsjKxIFil3HEODYL5Hua264vhfDKxLcqSMXdKRb riDcjrpcOlFl3lFxV4xOjWx/9ll13DtJ5LTCaGUAa0QlbqPMLC7hiifVgyxX+SsHEeQp Cgf8S+0eldsFj1T+ARJ+VgBE9QVvi5wxSpt57EeYby/tAjvCWCcAWPr7KqFOHj9gyOhy c445RYB5HFhx+rMVvDC/16HZiKng83orTB8xwLy77KVFRh4FtgVe+SeVsso4vJ5zZDWR eqPswbTQev2+PF7hWKzbU9vTMqulPeDB2QJtM6JkHidDMheQs5ly5BTDP/478lBWTF48 LGCw==
X-Gm-Message-State: AOAM5315n6tasnISOPY+f8Jt6nYJtmKjUK0KkTSCRs1v//GLqyLWfKpP EqNioVr7OZTNNxiA66zNn8ZH7pm5KQtLo3rW2GD5pjvL4Hs=
X-Google-Smtp-Source: ABdhPJxKph2HRZ7eEpm2RUjYoPJAIiZbxc5HN/+DJWRV7zh+KBT6MR7Y87agTAAe4NgoZclMbF97+KAkAaGoxYfeRfY=
X-Received: by 2002:a2e:8541:: with SMTP id u1mr20625454ljj.338.1614180884960; Wed, 24 Feb 2021 07:34:44 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <02A263F5-8109-4D3B-A684-D9B574260B50@forgerock.com> <CAGBSGjqGgYfcw+jqE+Y-JP_oXcHPMwhsqrO7vE=ReUXEqdLAzg@mail.gmail.com> <CAB3ntOuoPFHuUJT7WoWMSAar6nH06p4YUKmdgA860KnqOB2BWA@mail.gmail.com> <CAGBSGjo-rEAMkj-RiBjJoDs9TtTXyqZEpLTuSnx=EkooScAhBQ@mail.gmail.com>
In-Reply-To: <CAGBSGjo-rEAMkj-RiBjJoDs9TtTXyqZEpLTuSnx=EkooScAhBQ@mail.gmail.com>
From: Jim Willeke <jim@willeke.com>
Date: Wed, 24 Feb 2021 10:34:08 -0500
Message-ID: <CAB3ntOt99-Zs8Mb9YD1eZ50Lvv_e3bpOsUnyV9jYOqw+NpDGLA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000406c9305bc16c697"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0Q9M8gaoTdjXPlMvBtlT2PwpiNg>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 15:35:08 -0000
I didn't mean to imply "you" were writing it off and you are probably right technology may not be able to solve it, I was just looking for ways we might help? -- -jim Jim Willeke On Wed, Feb 24, 2021 at 10:21 AM Aaron Parecki <aaron@parecki.com> wrote: > > Sure, you could write it off as "a business problem" but > > I did not mean to suggest that I was *writing it off* as a business > problem. > > It *is* a very real problem, and I would very much like to see a solution, > however based on my experience it is not something that technology will > solve. This is demonstrated by the fact that there are all the pieces in > place already yet many organizations refuse to adopt them, and it’s > definitely not for a lack of understanding. > > Aaron > > > > On Wed, Feb 24, 2021 at 7:01 AM Jim Willeke <jim@willeke.com> wrote: > >> But in reality, Just "because the technology" is there there leaves out >> the practicality of creating a secure implementation. Sure, you could write >> it off as "a business problem" but many of the developers are small and not >> unusually single person operations that do not have the resources to create >> a specific team, or even a specific person, to work through all the >> specifications that are involved. >> >> I do believe, in general, specific implementations should not be within >> the specifications but a "Best Practices" or "Common Implementations" >> document to coincide with the specifications might be in order. >> >> Just spend some time on https://stackexchange.com/filters/4229/oauth and >> you will see the issue and struggles. >> >> >> -- >> -jim >> >> Jim Willeke >> >> >> On Wed, Feb 24, 2021 at 8:46 AM Aaron Parecki <aaron@parecki.com> wrote: >> >>> > You type your email address into {The Bat} to begin configuration. >>> {The Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My >>> ISP}. The discovery document reveals that {My ISP} supports open dynamic >>> client registration [3][4] so {The Bat} registers and gets issued with a >>> client id and client secret. {The Bat} then does a normal OAuth flow to get >>> an access token to access your emails from {My ISP}. If you later stop >>> using {The Bat} you can go to your page on {My ISP} and revoke its access >>> because it has a unique client id. >>> >>> Like Neil says, the building blocks are all already there. The fact that >>> companies choose not to use them is not because the technology isn't there, >>> it's because it's a business problem. >>> >>> I'd be thrilled if the NxM problem were solved in practice, but >>> unfortunately that doesn't seem to be what's happened in the market. The >>> technical solution has been there a long time, so there's something else >>> going on. >>> >>> When I've brought up this topic in the past, most of the responses I've >>> gotten from the "big players" are along the lines of "lol we're not going >>> to let someone's software talk to us unless we have a legal arrangement >>> with the developer". The fact that dynamic client registration is barely >>> used is more because these service operators want the software developers >>> to agree to their terms of service before being able to access APIs. >>> >>> This is all to say that I agree it'd be nice to solve this problem, but >>> in the end, the IETF can't tell companies what to do with their products >>> and services. >>> >>> Aaron >>> >>> >>> >>> >>> On Wed, Feb 24, 2021 at 4:21 AM Neil Madden <neil.madden@forgerock.com> >>> wrote: >>> >>>> On 24 Feb 2021, at 11:39, Bron Gondwana <brong@fastmailteam.com> wrote: >>>> >>>> >>>> >>>> […] >>>> >>>> >>>> Let's get down to use cases then, rather than talking in abstracts. >>>> >>>> I'm an end user with a copy of {The Bat email client} and I want to >>>> connect it to {Gmail} + {Yahoo} + {My ISP}. It supports {POP3}, a widely >>>> popular open standard. I want to be able to authenticate to each of those >>>> services without saving my plaintext passwords on my hard disk where the >>>> next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and >>>> all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account, >>>> leaving me destitute. >>>> >>>> But, {The Bat} doesn't have a trusted client cert from my isp, because >>>> who does - so there's no good protocol for me - it's either plaintext auth, >>>> or it's some architecture astronaut multi-party nonsense that's massively >>>> over specified and doesn't work half the time. So I write a plain text >>>> password on a post-it note which is lying in the dust under my monitor >>>> because the glue has gone bad, and I hope I never accidentally click >>>> "remember me" when I type it in. >>>> >>>> That's been the reality of the end user experience for very many years. >>>> >>>> NxM means that you can authenticate an arbitrary client against an >>>> arbitrary server so long as they are both speaking a known public protocol, >>>> without needing to build a trust relationship between the client vendor and >>>> the server vendor first. >>>> >>>> >>>> Does the following meet your needs? >>>> >>>> You type your email address into {The Bat} to begin configuration. {The >>>> Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}. >>>> The discovery document reveals that {My ISP} supports open dynamic client >>>> registration [3][4] so {The Bat} registers and gets issued with a client id >>>> and client secret. {The Bat} then does a normal OAuth flow to get an access >>>> token to access your emails from {My ISP}. If you later stop using {The >>>> Bat} you can go to your page on {My ISP} and revoke its access because it >>>> has a unique client id. >>>> >>>> [1]: https://openid.net/specs/openid-connect-discovery-1_0.html >>>> [2]: https://tools.ietf.org/html/rfc8414 >>>> [3]: https://openid.net/specs/openid-connect-registration-1_0.html >>>> [4]: https://tools.ietf.org/html/rfc7591 >>>> >>>> >>>> Any "trust relationship" is made through a user both who trusts the >>>> client and trusts the server, and it's not transitive over to other users >>>> of the same client and the same server. The client author doesn't need to >>>> get a signed "I trust you" from every single server, and the server author >>>> doesn't have to go identify every single client. >>>> >>>> That's what NxM means to a user, the ability to use arbitrary clients >>>> with arbitrary servers so long as they both implement a documented >>>> protocol. Interoperability. >>>> >>>> >>>> That’s fine for your use-case, but that isn’t everybody’s use-case. >>>> Other use-cases (such as Open Banking) involve regulatory or policy >>>> frameworks in which open dynamic client registration is not appropriate. >>>> JMAP could have an RFC describing the use of OAuth with JMAP that mandates >>>> open dynamic client registration and discovery. >>>> >>>> >>>> — Neil >>>> >>>> >>>> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> -- >>> --- >>> Aaron Parecki >>> https://aaronparecki.com >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- > --- > Aaron Parecki > https://aaronparecki.com > >
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola