Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF
Warren Parad <wparad@rhosys.ch> Wed, 24 February 2021 10:23 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DA203A1370 for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 02:23:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.088
X-Spam-Level:
X-Spam-Status: No, score=-7.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLWZX1gLG9lc for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 02:23:01 -0800 (PST)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375ED3A136B for <oauth@ietf.org>; Wed, 24 Feb 2021 02:23:01 -0800 (PST)
Received: by mail-io1-xd32.google.com with SMTP id n14so1472219iog.3 for <oauth@ietf.org>; Wed, 24 Feb 2021 02:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Es/VR3KD7LNRN3EfdMO5sYaX1dAvZ4BzI89SgjD1O8g=; b=eP2ipcVgknEX9SZ4NqMR9URJm0GO4s0dPGdJgtF5nvHc+HxqdRJaAt9ZI2JhMqmGWT jaa+oIql1T1hi+cyG1V/cb3cwsWWDo2YxqvoqXsyCPOOclyYnjnerzMP262qJVpLH9+2 axaHxM1oTu9rhuIARR0e7igzoUWiXURvHah3wAfm2Y0nv8WMY91vZp34AWdw6+8xEuQ/ Paf4KZoDvL0RjkCs7DqMfHg/9GGGy9cE1ReH4okxxK36gGDWsvY8kP5c58waC9udI8zD N3eRwNOdxs/MEHIvoSdaMQiHWVDYAWsAO7byeJ5FeiPWFHdFzCZKMXtMX2LdlPx8tMTb 90BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Es/VR3KD7LNRN3EfdMO5sYaX1dAvZ4BzI89SgjD1O8g=; b=LaoItvOta8ol1FZ66wlpg/u/sjF/p7W94XUcP1qc+V3LCnou0M7AKhD0kaaS3xgkI+ Q0xgl4TKfPTcRatMyMio4N8C9SYsmeXo2ygFO0PSUsOhvuVV002b2cEBbKGfkcWAeJ6n QuA78Bvpj+jNxuRoF3g+tSFOQfL2mu8/N4Qi+O4X1VMpBRWmoASTxDuhVR9fRw04aoLA betjQDZTzo2M+exqXn7qAbbMdnogXT82LmPUBytntdNUDpExVH7P9oH5HUfTHmm7wpPf XzaOSiHOvKJO4A/3p1gPrhoCKLEmnmHtZLG4kzQJlqi2ZAfh8PQiHWPZmeysATRl/Ugk usNQ==
X-Gm-Message-State: AOAM533+EOD91lG9Z5CrKvsUSbjXqO1BSSQrmfVC2rexwvswbwKMrFfB BcvnZ1e8xi0oYofWifrB5C4+hwXiE8RfkUHLkvNJ
X-Google-Smtp-Source: ABdhPJypwPYfAY1V6io8wbu2qxZSmxCku+GjkZBMttCsLyVyC+cqMInDmjgjX6mF4kf8WLAil3288hdUIVoMCvaeJjY=
X-Received: by 2002:a5d:9510:: with SMTP id d16mr23381104iom.81.1614162180341; Wed, 24 Feb 2021 02:23:00 -0800 (PST)
MIME-Version: 1.0
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <CADNypP8GKTY-Jhpb6AEfcpXOihwLap7OrrByNemGc2GNvZLeog@mail.gmail.com> <10fd9d2d-afb4-44aa-b618-fb5ce1efa69e@dogfood.fastmail.com> <c21477c8f68047cabac7aeae60a688f2@cert.org> <CAHbuEH7Qvc3AaBxbk1kXd4knS4_+Wrs3P7WNETRNNoFP-dGNCA@mail.gmail.com> <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <AM0PR08MB37168F0895CC638ED5222E65FA9F9@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB37168F0895CC638ED5222E65FA9F9@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 24 Feb 2021 11:22:49 +0100
Message-ID: <CAJot-L1MxmEwSyUMbb6k8JYXOvUGMFSGaC76dYY9KU53P1jF7w@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e9a1705bc126b49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2Px5oSZ2mLylTpHOrHJSsBgUbZ4>
Subject: Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 10:23:10 -0000
👏 Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Wed, Feb 24, 2021 at 10:09 AM Hannes Tschofenig < Hannes.Tschofenig@arm.com> wrote: > Hi Phil, > > > > I am moving this to the OAuth group to avoid confusing the IETF list any > further. > > > > See my feedback below. > > > > *From:* ietf <ietf-bounces@ietf.org> *On Behalf Of * Phillip Hallam-Baker > *Sent:* Wednesday, February 24, 2021 6:47 AM > *To:* Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> > *Cc:* ietf@ietf.org; oauth@ietf.org > *Subject:* Re: Diversity and Inclusiveness in the IETF > > > > I am worried by the advice 'use OAUTH' but for a very different reason. > > > > OAUTH and SAML are both attempts to provide a secure authentication scheme > that works within the very particular and very peculiar environment of Web > browsers. They are schemes that necessarily involve techniques that are > rightly regarded as alchemy if not outright witchcraft. > > > > [Hannes] OAuth and SAML were initially developed for the Web because the > web is an important deployment use case. Both protocols had a very > different history and also different use cases. OAuth is for delegated > access and SAML was developed as a WebSSO solution. OAuth and SAML were > later extended to other environments too. In case of OAuth you can find > some of this info in our documents, such as the OAuth 2.0 for native apps. > > > > That is fine, that is more than fine if you are developing an > authentication scheme for use within Web browsers (or if you are developing > whatever SAML and OAUTH are these days, neither was originally billed as > authentication). > > > > [Hannes] OAuth is not an authentication scheme, particularly when > referring to users. It is explicitly the intention to keep the user > authentication part outside OAuth, which allows us to use the most modern > user authentication technology available without having to touch OAuth. > > > > But it is completely inappropriate to ever suggest let alone demand that > anyone use a technology whose primary design constraint is to work around > the voodoo of Javascript, URIs, HTTP cookies etc. etc. in an application > where none of those legacy issues apply. > > > > [Hannes] It is difficult to comment on this because I don’t know the > context. Maybe OAuth was a fine choice and maybe it wasn’t. I don’t know. > We all agree that OAuth is not going to be the answer to every question. > > > > One of the big problems of IETF is that a lot of people don't think about > how to get their scheme deployed and when they do, their plan is to tie it > to some other group as a boat anchor. > > > > [Hannes] In general, standing on the shoulders of giants is not a bad > approach. Changes are that there is a potential for re-use. OAuth also > wasn’t produced in a vacuum either. We use JSON as an encoding for the > access tokens with the JWT when the work in the JOSE group was started. We > also had to work with the nuances of HTTP. We made use of TLS. > > > > Back when we were doing DKIM and SPF we had to tell certain DNS folk that > the fact that almost no DNS Registrars offered customers the ability to > specify new RRTypes was their problem and was going to remain their problem > no matter how loudly they tried to complain that it should become our > problem. > > > > [Hannes] I cannot comment on DKIM and SPK because I was not involved in > that work. > > > > In the case of OAUTH, there is another problem in that OAUTH really isn't > a very open protocol from the standpoint of the user. I can use my Google > or my Facebook or my Twitter accounts to log in via OAUTH at a large number > of sites. But if I want to use any other OAUTH provider I am completely out > of luck. Or at least I will be until this becomes one of the multifaceted > complaints in the anti-trust hearings coming soon to a capitol hill near > you. And yes, that is a consequence of how the protocol has been deployed, > but that probably not going to get people very far on capitol hill. > > > > [Hannes] OAuth 2.0 is a specification. It has a couple of flows. A product > and a service adds more to OAuth, i.e. OAuth is just a building block in a > larger ecosystem. That ecosystem will contain the actual application and > also the user authentication component (among other things). Companies make > their own decision about how they want to use OAuth in their product. A > fitness company may decide to allow its users to share their heart rate > data with others (assuming consent of the user). It may also decide not to > do it. It is a business decision. OAuth allows you to do it securely with > the consent of the user. Neither the OAuth spec nor the IETF can tell > companies who they should work with. > > > > The Internet is for everyone. The Internet is for end users. > > > > [Hannes] Those are great words but they mean nothing in this context. You > know that. > > > > > > I am really not that interested in who makes the ingredients except to the > extent that it determines what sort of cake emerges. One of the unexpected > side effects of Web 2.0 has been that it has greatly centralized power in > the hands of a tiny number of individuals. Individuals who are at best > accountable to shareholders, but in the case of some of them, a separate > share class ensures that they are accountable to nobody. In neither case > are the people with power accountable to end users because they are not > even customers, they are the product. > > > > [Hannes] I believe the IETF is good at producing building blocks, has > little experience in complete systems and no experience with building > actual products. You are complaining about the products. You are blaming > the wrong people. > > > > > > What I am interested in is the extent to which Internet technologies are > Technologies of Freedom. The question we need to ask ourselves is 'does > this technology increase end user autonomy or increase their reliance on > third parties'. > > > > [Hannes] OAuth is flexible. You could use in your own personal data store > and people have done that. Then, you are controlling everything. You can > also setup a company to offer that service to others because there will be > some users who do not want to run everything themselves. > > > > > > I understand that some of the developments on the Internet are concerning > and I share your concerns. If you believe OAuth is a reason for this > development then I have to disagree with you. > > > > Ciao > > Hannes > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola