Re: [OAUTH-WG] subdomain
Jerry Leyendecker <jleyendeckeratx@gmail.com> Wed, 24 February 2021 12:29 UTC
Return-Path: <jleyendeckeratx@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 150E43A14EC for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 04:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHuiB_z8w9Co for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 04:29:31 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8B823A14DA for <oauth@ietf.org>; Wed, 24 Feb 2021 04:29:30 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id g3so2215475edb.11 for <oauth@ietf.org>; Wed, 24 Feb 2021 04:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=B7C+ATMNQt1a2+SXWHdxTBfD0k1RF+yCylWISGljKwY=; b=qYNQ/0LZKTeFsZKYNRwJIuo8+3ifhbrQGSNVO+okpqRcCFmnrlscwGTH6/bVRhz4tx 8xqtDCEmkcHKmpAc2hi1lKXo4IyZ4SnYrRfkWf0nhmpGTyf52lue1QsrxXb8vp25uPqp JNyUw633Tg+k+K8/XD7tbfIvbJ/hMw4ZbC8yyJU4PyDZEVsqH8zDlvVRbeZz8aByj/TO H0xsdCHCa3QPkwdiirjrHjooO78g91bROXAP0oREgM5ojqCgxiILnul+8Nl/Hl2mS5mv fMa6PXZt4JHEAC+rP0EOvr8qrmxMo1W+sO+JeJRCT22mfUcklVeUrkdavUUWwLbj3opG 0RRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=B7C+ATMNQt1a2+SXWHdxTBfD0k1RF+yCylWISGljKwY=; b=tLK9lL/Rc6hKUCJO1dZL572BdAbwyDraDf+JcoP5Q46XuaSTSu96R03HmNZySyhTlZ K8x9n0KAzXrTsl4W7mLnFj0v62ise8JgupOlFJnRg5duXbYiZrukVjsveRaVN0SWUp6d QX+reEqzZP/ygPm7AdHLeWjZU5kX9WoAQa24Uji4GUU3kEeConmPgiA7mBGj+d8gc6Rg RdXZUYmnIE5kHc0RE8Q+KEGfgBpruG1ODBRjQ3xht7u/irzeSyslJaTclOpZD5mgPwVa 99azdWtoeS/j3xL2QFwqJ9DbtnmpjNdHdE6Le6BFNOtMSdwGwSX3L4znfwAXTg5951H/ TJ2A==
X-Gm-Message-State: AOAM533S10G5PRFrUOBVZ9v7mq20gsMGgvD89FbS38Z1xIgTHh6eiBlp 42LbEHmLLVh033EPKROXKV+4g9MaGh0ToZcHOB94rz/K//XQ1Q==
X-Google-Smtp-Source: ABdhPJxdENvh1scMhU5UWD0/G5sKEFdUP4Te7lONEFWC23johik7aEZjBFG7dyyQO1wfkA9NJDotN1AJYCLMkbke9ms=
X-Received: by 2002:a05:6402:3074:: with SMTP id bs20mr23091196edb.120.1614169768666; Wed, 24 Feb 2021 04:29:28 -0800 (PST)
MIME-Version: 1.0
References: <mailman.2174.1614169263.6343.oauth@ietf.org>
In-Reply-To: <mailman.2174.1614169263.6343.oauth@ietf.org>
From: Jerry Leyendecker <jleyendeckeratx@gmail.com>
Date: Wed, 24 Feb 2021 06:29:17 -0600
Message-ID: <CABv2g9ysJJd8CWq1rrLncexqeABorn7V5_YMx5a_PMY-MndbMw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ab293305bc142f9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0btaHUe_WUmHTnEhTb-3tstjNzk>
Subject: Re: [OAUTH-WG] subdomain
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 12:29:34 -0000
What would be my subdomain when entering authress.api On Wed, Feb 24, 2021, 6:21 AM <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: We appear to still be litigating OAuth, oops (Bron Gondwana) > 2. Re: We appear to still be litigating OAuth, oops (Neil Madden) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 24 Feb 2021 23:15:15 +1100 > From: "Bron Gondwana" <brong@fastmailteam.com> > To: "Warren Parad" <wparad@rhosys.ch> > Cc: "Carsten Bormann" <cabo@tzi.org>, "Phillip Hallam-Baker" > <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, > ietf@ietf.org > Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops > Message-ID: <121f52be-4747-45f3-ad75-79fa2f693d75@beta.fastmail.com> > Content-Type: text/plain; charset="us-ascii" > > > > On Wed, Feb 24, 2021, at 23:09, Warren Parad wrote: > > (I tend to trend lightly in the pronoun area, mostly because I'm shocked > that openid included gender but not pronouns) > > > > I hadn't heard that to be called the NxM problem, so that definitely > cleared up the potential confusion (at least for me). > > > > I think GNAPs lack of clarity is a non sequitur for the handling or not > of the multitrust arbitrary-client with arbitrary-service, however it's > lack of clarity for me prevents me from knowing whether GNAP actually seeks > to solve this problem. So from an OAuth WG perspective we can still ask: > > > > *Is this or should this problem be left to GNAP to solve, or is an OAuth > WG responsibility?* > > Honestly I think the problem space is the whole ietf's responsibility. > Protocols that allow an end user to safely transfer data between two > parties that don't have a pre-existing trust relationship are a key part of > enabling user freedom and user choice. > > Bron. > > > > > > *Warren Parad* > > > Founder, CTO > > > Secure your user data with IAM authorization as a service. Implement > Authress <https://authress.io/>. > > > > > > On Wed, Feb 24, 2021 at 12:39 PM Bron Gondwana <brong@fastmailteam.com> > wrote: > >> __ > >> On Wed, Feb 24, 2021, at 22:04, Warren Parad wrote: > >>> I would prefer Bron to answer that question, as they are the one who > started this email thread. > >> > >> You can also use he when talking about me, or she for that matter - I > do enough group fitness classes where it's roughly assumed that the entire > class is female, and I have an ambiguous enough name that I'm used to it. > Most people use "he" most of the time. > >> > >>> However let's look at GNAP, I've honestly been struggling to > understand at least one fully documented case that GNAP supports. It seems > in every document the only thing that is clear is GNAP wants to allow > "everything", doesn't actually talk about an example. > >> > >> That's my biggest fear for GNAP - it too will try to be everything to > everybody and wind up being nothing to nobody because the super flexible > "everything protocol" is the same as no protocol at all, since you have to > special-case everybody you talk to anyway. > >> > >>> By NxM, I assume we mean that the end user or client is free to select > whichever AS they want, in a way which the RS can verify the AS credential > and the user identity, without the RS having to (and really without the > ability to limit) which AS are allowed. > >> > >> Let's get down to use cases then, rather than talking in abstracts. > >> > >> I'm an end user with a copy of {The Bat email client} and I want to > connect it to {Gmail} + {Yahoo} + {My ISP}. It supports {POP3}, a widely > popular open standard. I want to be able to authenticate to each of those > services without saving my plaintext passwords on my hard disk where the > next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and > all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account, > leaving me destitute. > >> > >> But, {The Bat} doesn't have a trusted client cert from my isp, because > who does - so there's no good protocol for me - it's either plaintext auth, > or it's some architecture astronaut multi-party nonsense that's massively > over specified and doesn't work half the time. So I write a plain text > password on a post-it note which is lying in the dust under my monitor > because the glue has gone bad, and I hope I never accidentally click > "remember me" when I type it in. > >> > >> That's been the reality of the end user experience for very many years. > >> > >> NxM means that you can authenticate an arbitrary client against an > arbitrary server so long as they are both speaking a known public protocol, > without needing to build a trust relationship between the client vendor and > the server vendor first. > >> > >> Any "trust relationship" is made through a user both who trusts the > client and trusts the server, and it's not transitive over to other users > of the same client and the same server. The client author doesn't need to > get a signed "I trust you" from every single server, and the server author > doesn't have to go identify every single client. > >> > >> That's what NxM means to a user, the ability to use arbitrary clients > with arbitrary servers so long as they both implement a documented > protocol. Interoperability. > >> > >> OAuth has not given interoperability in the NxM sense outside some > simple web use cases. They're nice and all, but they don't tend to be > useful with open protocols - OAuth gets used for accessing proprietary API > endpoints after getting an access key for a single provider. At least you > get Nx1 or 1xM out of it depending who's the N and who's the M, and maybe > some of your code can rhyme so you're not doing everything from scratch > each time. > >> > >> This is the sorry story of real open protocols. The floor for true > interoperability is still username + password over cleartext, over > hopefully a TLS tunnel that's providing some level of protection. Most so > than a few years ago when Fastmail wrote our "starttls considered > harmful"[1] objection to the IETF's habit at the time of putting a > "STARTTLS" upgrade into an initially plaintext protocol, where an active > intercepter could just strip the "I support STARTTLS" indicator from the > protocol and convince the client to send the credentials in the clear. > >> > >> We're a little better mostly these days, but it's still a tirefire, and > in my heart I do hold the OAuth working group's squatting on this area of > the landscape while failing to address this burning need partially > responsible. The result (as Phillip pointed out upthread) has been a > consolidation towards a few big players - because NxM becomes tractable > when you reduce the N and M to small enough numbers. > >> > >> Bron. > >> > >> [1] > https://www.fastmail.help/hc/en-us/articles/360058753834-SSL-TLS-and-STARTTLS > >> > >> -- > >> Bron Gondwana, CEO, Fastmail Pty Ltd > >> brong@fastmailteam.com > >> > >> > > -- > Bron Gondwana, CEO, Fastmail Pty Ltd > brong@fastmailteam.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210224/71b31a28/attachment.htm > > > > ------------------------------ > > Message: 2 > Date: Wed, 24 Feb 2021 12:20:56 +0000 > From: Neil Madden <neil.madden@forgerock.com> > To: Bron Gondwana <brong@fastmailteam.com> > Cc: Warren Parad <wparad@rhosys.ch>, Carsten Bormann <cabo@tzi.org>, > Phillip Hallam-Baker <phill@hallambaker.com>, "oauth@ietf.org" > <oauth@ietf.org>, ietf@ietf.org > Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops > Message-ID: <02A263F5-8109-4D3B-A684-D9B574260B50@forgerock.com> > Content-Type: text/plain; charset="utf-8" > > On 24 Feb 2021, at 11:39, Bron Gondwana <brong@fastmailteam.com> wrote: > > > >> > >> [?] > > > > Let's get down to use cases then, rather than talking in abstracts. > > > > I'm an end user with a copy of {The Bat email client} and I want to > connect it to {Gmail} + {Yahoo} + {My ISP}. It supports {POP3}, a widely > popular open standard. I want to be able to authenticate to each of those > services without saving my plaintext passwords on my hard disk where the > next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and > all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account, > leaving me destitute. > > > > But, {The Bat} doesn't have a trusted client cert from my isp, because > who does - so there's no good protocol for me - it's either plaintext auth, > or it's some architecture astronaut multi-party nonsense that's massively > over specified and doesn't work half the time. So I write a plain text > password on a post-it note which is lying in the dust under my monitor > because the glue has gone bad, and I hope I never accidentally click > "remember me" when I type it in. > > > > That's been the reality of the end user experience for very many years. > > > > NxM means that you can authenticate an arbitrary client against an > arbitrary server so long as they are both speaking a known public protocol, > without needing to build a trust relationship between the client vendor and > the server vendor first. > > Does the following meet your needs? > > You type your email address into {The Bat} to begin configuration. {The > Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}. > The discovery document reveals that {My ISP} supports open dynamic client > registration [3][4] so {The Bat} registers and gets issued with a client id > and client secret. {The Bat} then does a normal OAuth flow to get an access > token to access your emails from {My ISP}. If you later stop using {The > Bat} you can go to your page on {My ISP} and revoke its access because it > has a unique client id. > > [1]: https://openid.net/specs/openid-connect-discovery-1_0.html < > https://openid.net/specs/openid-connect-discovery-1_0.html> > [2]: https://tools.ietf.org/html/rfc8414 < > https://tools.ietf.org/html/rfc8414> > [3]: https://openid.net/specs/openid-connect-registration-1_0.html < > https://openid.net/specs/openid-connect-registration-1_0.html> > [4]: https://tools.ietf.org/html/rfc7591 < > https://tools.ietf.org/html/rfc7591> > > > > > Any "trust relationship" is made through a user both who trusts the > client and trusts the server, and it's not transitive over to other users > of the same client and the same server. The client author doesn't need to > get a signed "I trust you" from every single server, and the server author > doesn't have to go identify every single client. > > > > That's what NxM means to a user, the ability to use arbitrary clients > with arbitrary servers so long as they both implement a documented > protocol. Interoperability. > > That?s fine for your use-case, but that isn?t everybody?s use-case. Other > use-cases (such as Open Banking) involve regulatory or policy frameworks in > which open dynamic client registration is not appropriate. JMAP could have > an RFC describing the use of OAuth with JMAP that mandates open dynamic > client registration and discovery. > > > ? Neil > > > -- > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210224/ac3ed3af/attachment.htm > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 148, Issue 80 > ************************************** >
- Re: [OAUTH-WG] subdomain Jerry Leyendecker