Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
Christian Huitema <huitema@huitema.net> Fri, 26 February 2021 20:11 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5249B3A166D for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 12:11:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-UvbmnAotbj for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2021 12:11:39 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D4AB3A166F for <oauth@ietf.org>; Fri, 26 Feb 2021 12:11:38 -0800 (PST)
Received: from xse487.mail2web.com ([66.113.197.233] helo=xse.mail2web.com) by mx135.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lFjSW-0013ay-Up for oauth@ietf.org; Fri, 26 Feb 2021 21:11:36 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4DnLQV3MGPz1RWp for <oauth@ietf.org>; Fri, 26 Feb 2021 12:11:30 -0800 (PST)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lFjSU-0006JX-BO for oauth@ietf.org; Fri, 26 Feb 2021 12:11:30 -0800
Received: (qmail 23270 invoked from network); 26 Feb 2021 20:11:29 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.109]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ietf@ietf.org>; 26 Feb 2021 20:11:29 -0000
To: Tim Bray <tbray@textuality.com>, Justin Richer <jricher@mit.edu>
Cc: Seán Kelleher <sean@trustap.com>, Phillip Hallam-Baker <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <CAJot-L2KO2dOzZQJJeB1kbk6_KTQwUYUsoJOoRt=9maynS1jZg@mail.gmail.com> <121f52be-4747-45f3-ad75-79fa2f693d75@beta.fastmail.com> <E84B4446-5F74-402B-8071-A1164EF0B02C@mit.edu> <6b5d0e34-340f-4f93-83ef-817d4624ec7d@dogfood.fastmail.com> <CAPLh0AMfncjJ0iaZ5gmzrh1D0Z7WCOtG-+6GZkmzfQuAttsBtw@mail.gmail.com> <CAPLh0AMEnbak8=6boESQCgTd=Au4V9O=wCqGCz5qEU-d3y0g5g@mail.gmail.com> <6E2CD5EE-55D9-403A-835D-032ECA39CBFB@mit.edu> <CAHBU6iu1e-8XOxH3DRxM36v_D-=J5Scw=yuZRD9G0VL+bY86Fg@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <5956005f-7817-bb9f-0b43-40a6f70bd2d6@huitema.net>
Date: Fri, 26 Feb 2021 12:11:27 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CAHBU6iu1e-8XOxH3DRxM36v_D-=J5Scw=yuZRD9G0VL+bY86Fg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------48E3803F2B4E0F219BF5EDD8"
Content-Language: en-US
X-Originating-IP: 66.113.197.233
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.14)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT8uEaMc9v2z//gxoDgwFDrHPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yor/eCA3dHrmTLi/t2S44TfYzfQXcfqmra3dmoHS4ygqt2 eVsmjp+9Ijq5HCI5CwJWuRWrkPihq53YqAd1ENNqBHtNXu1E6L4+KyOXc4QYanQOD0r6/AaHZiEt dTMtMlia0Lmg/jgHfCNZd+W+PXf6Pjb130VX+iieImINR22zmiue9TLOhN8AYRsvkjfngQDbNI0R 22tddiGKm8EgkM9zzDkBvlIN1pUDU5DU5DggD98cjIN3reG9z0FKKQ5m2Qpw7sOVVcM1Xk+Tdz6g /UMvfWqyN3veeFIMJz/vumcqAwMU9kjfE7EFo+kP5riIEUmxU01QhuxnshSbl6nxbLZ35/xY0uvo WBEOfzq3RG28wI7w4vcwqZanLHsZM8r4s5ZjlHoGly8aneNxj+pRyx6DAzHPcWsnfqGSaNoXhWPo OpFVgpT1b21uZVckGp0ccOZtuBWXiK6eoWgQZnNLL6SbpUc7peFeo3eDQNYbhOKhzzgqmaDn5SlD Y9mmtv6e91aWBLor1oCWetcUjeG94V2XjoV9/BLvlyUvLzL6lsKk96TeVLW3pB0Q/PTyowo5AfvG OBMN2od+PeP79VOTtEEkCFXoGKtafvOtcW/mP16byrL/nwvREHuP3/Ps3A4Pt7hRyBl07OVp2D/S 9ogT8aIX6abOyKlLsxs8P4CT3FEuG1XPGkvWCCTmYu1mXbT/IvWC1AI9a3irbifzymzQYX+Pr3ZM ctiC/YQAlJjw8umpOJTjAZmlRsj5gYoNz52VfvCKuZkMyFBGaEBYeh6pTEjUL/n+3uEzmvwRmti3 9+fizX6m+UeFXprlCOm3BAEbJtAT1BYHStA0OogdNtRxnRSLF+XCKxIG9XMEgRDdaWpvCv+zESlk TxdSCNcDfRohcehWBb39uS1TjWG2Inx+Ts2QNOYPIz4ynMa7pZQ4hi/HGtuWeHzx9sLaQmDwvYQn 76e9NXttZBkk6PeFqH6So31P
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2rcF0Dp8jGKqFw7uQhDCHoaUvEE>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 20:11:41 -0000
On 2/26/2021 8:31 AM, Tim Bray wrote: > On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jricher@mit.edu > <mailto:jricher@mit.edu>> wrote: > > Right, it’s possible to patch OAuth to do this, but the whole > “registration equals trust” mindset is baked into OAuth at a > really core level. That’s one of the main reasons there’s been > hesitance at deploying dynamic registration. It’s an extension > that changes your trust model’s assumptions, and does so in a way > that is challenging for a lot of large scale providers. > > > Justin is correct but being extremely diplomatic. “There’s been > hesitance”, as he puts it, translates in practice to some lawyer or VP > saying “You want to accept auth assertions for business transactions > from unknown parties? I have no interest in jail time, so forget it.” Tim's point is very important. It shows a tension between "blindly accepting authentication claims from unknown parties", which would indeed lead to adversarial business consequences, and "only accepting authentication claims from parties that have been marked as trusted by my organization", which in theory looks safe but in practice drives concentration. If the trust decision is delegated to each site, we have the recipe for a network effect, in which only a very small set of big organizations can provide authentication for everybody, and collect the corresponding data and statistics. This is both a very hard problem and an urgent problem. An IETF working group works on a hard issue and produces an incomplete solution. Big companies can fill the gaps by providing their own value. The result is further concentration of the Internet. Such problems are very hard, but they are not impossible to solve. Look for example at PKI and its supporting infrastructure like the CAB Forum. It is not perfect, but at least it had the property of allowing web sites to use HTTPS without routing all authentication transactions through third parties. Wouldn't it be nice if we had a federation system on top of OAUTH? I suppose that is difficult. Not a reason to not try... -- Christian Huitema
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola