Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Jim Manico <> Mon, 01 March 2021 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73EFA3A1F18 for <>; Mon, 1 Mar 2021 08:32:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t-CK2aW0RJid for <>; Mon, 1 Mar 2021 08:32:05 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E04CC3A1F14 for <>; Mon, 1 Mar 2021 08:32:04 -0800 (PST)
Received: by with SMTP id n79so5497497qke.3 for <>; Mon, 01 Mar 2021 08:32:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=L9tS5vrkt5kWTW3o4dUL8vSP0SqTZ8969AnhPhb/kaQ=; b=MxA492Ro7UvXFQJFr6clBfRmE9Sh107I4IibA2XvkDjIQgMTwsbDBSq74SSrG56IhC II2GvnJUCwQfHubUPPtjFn3CPNthPkjxmm93Rcz2d8Ahc4NZC81Wsz+nNwZWYs5X3c7R zjpILmdKem/P3MpekC8YjFjMFZ7MkoAyMRhsFnmJ8jRcTkzvpc1oPGJiQmpNCb1x+3D8 QLznZsERdtuXtLx+Kiwd8yC2FDRCke/sY0DtMgwI0SUmD/F1hZbGR6zPZsOOWtTXFqCI xQocCW6dqJW4o+uD4nQajfiJzQ6bRivDkx6yLTquqOt6ffSij0SID5bTyVLZRQt9byEO W1tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=L9tS5vrkt5kWTW3o4dUL8vSP0SqTZ8969AnhPhb/kaQ=; b=sGMntsv5beZO7oXGdEn/uES2ZbwV2LlPdGonTH8M1C+pfC0hvw/ITb9e9R7edBQqNd QlEBsxifG7YeGM8pz2lgCEg/IJX8r4NA75JdVPIXYaqa79EIEcsVjnT3sXS+8qE+RXij +KYGQCpw55GiidXWG121WQARp/9PICbhK2uQ/ZJ1TgcbRUTTLxshqymHnAnYi+tilwLG D0hHQDdUJGSAKjgeEgXQKfzOHimgwP41R33QDFgjkqM33+sKMEAGfUHW/oebYOVKMgos 4ACye3QWfuWSowuGPQv0oWhe3M1Dgh+VQr9fYUfmMU5VaORyp1/X84iX/66bskwztZIn aiTw==
X-Gm-Message-State: AOAM533rbrOBtE6DrKKq2NkAkZXaT/8fGsM0a99cB49L6PNLxKpoRxoJ WmXT+SbwnR/KAerMPFIDD0+zA7/FBBjUVQ==
X-Google-Smtp-Source: ABdhPJyQsP6s18vnxCGOkvcGgz3mfmIfkEQKu1uvPcOEaobY2TlwBtTh9jFLFFD8d4PyRzIV+OD+mw==
X-Received: by 2002:a37:a44:: with SMTP id 65mr9236595qkk.479.1614616322683; Mon, 01 Mar 2021 08:32:02 -0800 (PST)
Received: from macbook-pro.lan ( []) by with ESMTPSA id g2sm12931821qkd.124.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Mar 2021 08:32:01 -0800 (PST)
To: Vittorio Bertola <>
Cc: IETF-Discussion Discussion <>,
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <> <>
From: Jim Manico <>
Message-ID: <>
Date: Mon, 1 Mar 2021 11:32:00 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------15A23D3D7BB0DA45AAD0306B"
Content-Language: en-US
Archived-At: <>
Subject: Re: [OAUTH-WG] Assessing the negative effects of proposed standards
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Mar 2021 16:32:07 -0000


I feel you are conflating OIDC with OAuth2. In delegation workflows, the 
AS/RS can be any company and the clients are approved registered 
clients. I use OAuth2 for many of my own consumer needs and there is an 
even distribution of use among many services. OAuth2 protects me. I no 
longer have to hand out my twitter credentials just because my 
conference website wants limited access to my twitter account. I can now 
give my conference website limited delagated access to my twitter 
account and cancel that relationship any time. For years I was forced to 
give up my banking credentials to services like Mint and that is no 
longer the case due to the OAuth2 financial extension (FAPI).

While OIDC is certainly centralizing identity to a few providers, a real 
problem, OAuth2 when used for delegation purposes does not have that 
same inherent risk.


- Jim Manico

On 3/1/21 9:59 AM, Vittorio Bertola wrote:
>> Il 01/03/2021 15:13 Jim Manico <> ha scritto:
>> How does OAuth harm privacy? 
> I think you are analyzing the matter at a different level.
> If you start from a situation in which everyone is managing their own 
> online identity and credentials, and end up in a situation in which a 
> set of very few big companies (essentially Google, Apple and Facebook) 
> are supplying and managing everyone's online credentials and logins, 
> then [the deployment of] OAuth[-based public identity systems] is 
> harming privacy.
> Centralization is an inherent privacy risk. If you securely and 
> privately deliver your personal information to parties that can 
> monetize, track and aggregate it at scale, then you are losing privacy.
> -- 
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
>  <>  
> Office @ Via Treviso 12, 10144 Torino, Italy

Jim Manico
Manicode Security