IETF Logo Mail Archive

[OAUTH-WG] Re: DNS Handles

Dick Hardt <dick.hardt@gmail.com> Wed, 22 January 2025 08:28 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B97C18DB94 for <oauth@ietfa.amsl.com>; Wed, 22 Jan 2025 00:28:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCJ6n0TQkaR7 for <oauth@ietfa.amsl.com>; Wed, 22 Jan 2025 00:28:13 -0800 (PST)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 339C6C16941B for <oauth@ietf.org>; Wed, 22 Jan 2025 00:28:13 -0800 (PST)
Received: by mail-yb1-xb2a.google.com with SMTP id 3f1490d57ef6-e46ebe19489so9482994276.2 for <oauth@ietf.org>; Wed, 22 Jan 2025 00:28:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737534492; x=1738139292; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f1Dzp73tT894jnot1trUY6mBVU8lC0mbfMmRjBaZluU=; b=HpxrUJefhSBKWJ4XlPfyfro0+evy49reMv8EEyJ0wfLHKCm8PjRd+EP18qv5lH7beY k/Asy3yuOmSe79bsKvrV5WylkF96B4mORlLK+Uh3ke3ALbsNsCO7w1yGUMaRB+2twpMP P/I+jUnF3LxuTC4MNLt4ScusavfWiJSwtyI6r20VVo0U/W5rUz0wsnC0/JDwzS1jgRva A5IbT2DM9PFIDUa8uvLwe0p6rLzwV1oAQe7TWYrXqUioWsE//Up/W65iCMu7CgsVeP0B gvErZ2DYb6WBlppRlBwINrx3Z5i9xaIfiwedtinV98JT039V09qAdM6+o1t4zKAf2Bo3 310g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737534492; x=1738139292; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f1Dzp73tT894jnot1trUY6mBVU8lC0mbfMmRjBaZluU=; b=b5V1K31uAIIsV436qUAeJeUc68ss/RzoEa+UT00v5anzKAPQXWNsMta+I2sqVMlJk/ ptqoknhijxk+QnVq+Q4/rpG9B4SWZDRdwBcRM/PTg7QY5fFODaARvBFK4o7Lk9zz8+qd CYJSjsX3bKSKsH1UX46OSc/7j+eaXTBF/fKAKVO8PJ0i6M7pgEz8wwg4ZCphj/nSjuZg OXYtwNTRD08v8TjjEZ69qJ+WPXlYrifWGEWqImfXQJkGPEctje1MZJ0Tic8x2YjfU1WI Mp8bS84KeIzdVmuZpkVxD+dg4bWQMbVrfb0S2H8xacjt7Wdw6TxLa0QOfHLg4hulXga0 awSg==
X-Forwarded-Encrypted: i=1; AJvYcCXA/xRRYFdCdXxGhWfuZ/5iiRg5Fdk/LHw8E1uTtENC+itvVu+yhHNAzS5ELho3wlN/Dfkm6A==@ietf.org
X-Gm-Message-State: AOJu0Yy2Fi6L/YMbfM9ltRQjdng5w0KBsnGPpvgWtQOyAfOo+vNBsOTD E5hZZL5n5BEKGrb94v3Cs6fyE46MRBfTaA5D3VKykmQM2F5LnNf+HVEBPsZTxYb6yxxDtYRyqSi Zsq9vtzi2Xbq/V3QbJIwisaGWXHKiHQ==
X-Gm-Gg: ASbGncspdg4fZ79sHbMS1skf8Kmr2ZduQTGLdHLf67El7dqKusFMDgqzDJSYc67sBNl +YCCbhjD/5ZPPRvcZP+q24qzHftsYpeXQMzDUxuO+nR4UMbj96SA=
X-Google-Smtp-Source: AGHT+IFlZ/uxyBJdci/4pd8/FSMGzoiZxlimuzYZUI4Aqf4qNsczHJwJEt3+G9HGcIFV5L5I2zltoWp1/tlw7zgVSKc=
X-Received: by 2002:a05:6902:220b:b0:e58:ef9:25d4 with SMTP id 3f1490d57ef6-e580ef92ac7mr3249578276.30.1737534491815; Wed, 22 Jan 2025 00:28:11 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwgykk+B2UspfXBcLipFiTifNBf-WG-DeXPpWT39syqqVg@mail.gmail.com> <CAD9ie-tYsCODGfNTBDZgr46s4O4B9-u79jR=G10y4sN5HBiKgQ@mail.gmail.com> <CAMm+Lwje3G7EPkapFfVksbNtPN11LOs7Gj3Jj09uuFyvAb4FRQ@mail.gmail.com> <CAJot-L06J-T7vK2FJY4JGFQj4Zu=xFyNnKpnNM2SktCpOuTDKw@mail.gmail.com> <CAMm+Lwg+OizX_+bW7gkFqE3S6OGdF=h=7hpMSgnREWiqawiA5g@mail.gmail.com> <CAJot-L1rbkYg3rooqLrWw5StrqJMFZp7puc4GK+ACOqPtVbaig@mail.gmail.com> <CAMm+Lwj6qFy+njAd1T1F70EieJfxHCnkEcVLiGf8u7gSjhg0Kw@mail.gmail.com> <CAJot-L0chuJT26xPJHYzXzBgGKm=79brf88-7fqucmf9DDs5Hw@mail.gmail.com> <CAMm+LwjCb4eTTAM2oAwF8--XfG6wzmXQfO7Ap87p5U1v+vSK3Q@mail.gmail.com> <CAD9ie-vMW=hm4j2Y5-weGzfuPmS-S48ZwEBpX-eV3HCH6tt-ew@mail.gmail.com> <CAMm+LwgB39dAOCnqHpAAjXCVcguytBYMRDQ2RJoKGfJcxdjEyg@mail.gmail.com> <CAD9ie-tiReSKfU4yNYA=UB4mrkAve2+1yrUWa5CRZmrtVx2HGg@mail.gmail.com> <CAMtUnc4NMYEkJyukJSEMBN0icw0gTVuAyZ36bZ4u954OiDKRuA@mail.gmail.com>
In-Reply-To: <CAMtUnc4NMYEkJyukJSEMBN0icw0gTVuAyZ36bZ4u954OiDKRuA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 22 Jan 2025 08:28:01 +0000
X-Gm-Features: AbW1kvaoDMdcAJO4oHY0CdxPTnkpvGTzZxHv8gjpSf1dSZ1AZoqvzvywLoicGRw
Message-ID: <CAD9ie-uega6BQZcaQ1k1d6zN1DDpj+Y27Gf_MKR1ANHnMrQ4dw@mail.gmail.com>
To: Sam Goto <goto@google.com>
Content-Type: multipart/alternative; boundary="0000000000002b7a65062c47462c"
Message-ID-Hash: F755CFL2GT6PEKELHIAAV7B6U6Z3IBTH
X-Message-ID-Hash: F755CFL2GT6PEKELHIAAV7B6U6Z3IBTH
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Phillip Hallam-Baker <phill@hallambaker.com>, oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] Re: DNS Handles
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/84Vl2_JjJieL2t37NYWbcgjhYlY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

FWIW

We simplified to just a URL in OpenID 2

People just did not know what to do and were confused. Conversion dropped
at RPs so they took it out.

 I agree that the browser work may change the dynamics if:

- the user can opt in at their provider to have the functionality

- the functionality is only displayed to the user at the app web page if
the user has functionality and has opted in

- the user understands the functionality when displayed and only has to
click a button to start login

- the user can have a choice of which one to select

This solves the earlier problems of:
- the user being confused at the web app about what to do, and
- the user having to know what value to enter
- the user having choice

Unfortunately the browser work so far has been focused presenting an
experience that mimics the Google Experience, which does not map to other
providers

My other concern is this lowering the security of the web as account
protection is hard and my Mastodon server is not up to the task

While people are rightfully concerned about the control of the large
platforms, the account protection offered is unequaled anywhere else

On Wed, Jan 22, 2025 at 5:20 AM Sam Goto <goto@google.com> wrote:

> FWIW, I do agree that it is unlikely that a standard (any standard) will
> change anything, but I do think that the rise of bluesky/mastodon in
> conjunction with the browser being more involved (as Aaron pointed out,
> this specifically
> https://github.com/w3c-fedid/idp-registration/issues/2 but this too
> https://github.com/w3c-fedid/idp-registration/issues/15) adds at least a
> couple missing parts that weren't available a few years ago when it was
> last tried, and may be enough to make this viable.
>
> I'm @sgo.to and really feel represented by my domain name on the web, and
> I hope this pattern gets further developed.
>
>
>
> On Tue, Jan 21, 2025, 2:49 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> I’m not saying it won’t happen — I’m saying a standard is unlikely what
>> is holding it back.
>>
>> On Tue, Jan 21, 2025 at 10:33 PM Phillip Hallam-Baker <
>> phill@hallambaker.com> wrote:
>>
>>> Exactly the same happened with social media in general. We had
>>> interactive forums and blogs in 1994. Users couldn't quite work out what
>>> they were about.
>>>
>>> Ten years later, Facebook launched with a set of what were well worn
>>> features by then and took off.
>>>
>>> Timing matters a great deal. At the same time OpenID launched, a friend
>>> was trying to get a password management service off the ground. It crashed
>>> and burned; the users simply hadn't got to a sufficient level of pain yet.
>>> Today there are a dozen successful providers in that space.
>>>
>>> Another point to consider is that there is a very large government
>>> entity that is very upset about the 'centralization' of the Web. A
>>> government entity that is more than willing to pick fights with BigTech and
>>> the means to enforce its legal decisions. This would be a very opportune
>>> moment for certain companies to consider whether they would like to modify
>>> their technical approach, so they are not unnecessarily inserting
>>> themselves into unrelated business transactions or if they wish to press
>>> ahead and become that which is between the irresistible force and the
>>> immovable object.
>>>
>>>
>>>
>>>
>>> On Tue, Jan 21, 2025 at 4:45 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>>> Sounds alot like what OpenID was (not OpenID Connect)
>>>>
>>>> The user entered an identifier into the box and then was logged in.
>>>> This was when blogging was taking off, and we all thought people had some
>>>> identifier on the internet they would enter. Many of those were just a
>>>> domain name.
>>>>
>>>> According to Built With, OpenID[1] had more adoption in the top 1M
>>>> sites (42k) than Google Identity Platform[2] does today (35k).
>>>>
>>>> If you look at the OpenID graph, you see it spikes up, and then drops
>>>> off rapidly. Consensus was that people did not know what to do.
>>>>
>>>> Perhaps the world is different now -- but I don't think so. It was not
>>>> a lack of standards back then, and a standard is unlikely to change
>>>> anything now.
>>>>
>>>> /Dick
>>>>
>>>>
>>>>
>>>> [1] https://trends.builtwith.com/docinfo/OpenID
>>>> [2] https://trends.builtwith.com/widgets/Google-Identity-Platform
>>>>
>>>> On Tue, Jan 21, 2025 at 9:03 PM Phillip Hallam-Baker <
>>>> phill@hallambaker.com> wrote:
>>>>
>>>>> The differences in the new approach as I see it are
>>>>>
>>>>> 1) The user identifier is '@' followed by their DNS address and that
>>>>> is the ONLY syntax used to present that identifier. No URIs, URLs, QR
>>>>> codes, etc. the only thing a user is required to remember and type in at a
>>>>> site where they want to claim their identity is their DNS handle.
>>>>>
>>>>> I am experimenting with calling the system @nywhere because this means
>>>>> I can prompt the user with the @ sign as the field label with 'nywhere' as
>>>>> text replaced as soon as they start to type. Which I think provides a
>>>>> really nice contextual grounding for the user. I am willing to change this
>>>>> but not to use https// or similar. URLs were never intended to be user
>>>>> facing labels.
>>>>>
>>>>> 2) The user can change their handle and preserve their account. In the
>>>>> ATprotocol scheme, the DNS handle is resolved to a DID which is a
>>>>> fingerprint of a public key that can be used as a root of trust for making
>>>>> claims related to the handle.
>>>>>
>>>>> Now, I have reservations about this part of the BlueSky spec and the
>>>>> fact that it is bound to a public key doesn't really mean anything unless
>>>>> the private key is held by the end user. It is a part of the spec that I
>>>>> want to align with end-to-end secure communications tech that put the
>>>>> private key under user control. But in the meantime, it DOES provide the
>>>>> ability to change handles and that is really important as it allows users
>>>>> to move from an 'at-will' handle controlled by another to a personal
>>>>> registration.
>>>>>
>>>>> 3) The entire system is loosely coupled. Relying sites are not
>>>>> required to establish any prior relationship with the authentication
>>>>> provider. This is obviously something a lot of folk are going to object to
>>>>> but the only way that an authentication system can become ubiquitous is if
>>>>> it is permissionless.
>>>>>
>>>>> I talked to folk about connecting my Internet Drafts comment forum up
>>>>> to the IETF datatracker and was told this was likely to require contracts
>>>>> and agreements and such. The emerging infrastructure allows me to
>>>>> authenticate the user regardless of who is providing their authentication
>>>>> without needing any prior agreement, app key or anything.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jan 21, 2025 at 3:13 PM Warren Parad <wparad@rhosys.ch> wrote:
>>>>>
>>>>>> I'm not really following. Maybe let's start at the end and work
>>>>>> ourselves backwards. As an Identity Provider today, we generate JWTs for
>>>>>> our users that applications can use. Users log in to applications via our
>>>>>> Authorization Server and get application specific JWTs. Based on your
>>>>>> suggestion how does the result JWT different from the one that we are
>>>>>> generating for the user+application today?
>>>>>>
>>>>>> On Tue, Jan 21, 2025 at 9:02 PM Phillip Hallam-Baker <
>>>>>> phill@hallambaker.com> wrote:
>>>>>>
>>>>>>> On Tue, Jan 21, 2025 at 2:43 PM Warren Parad <wparad@rhosys.ch>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> The only thing lacking is a base of authentication service
>>>>>>>>> providers that are willing to give users control.
>>>>>>>>
>>>>>>>>
>>>>>>>> As someone who works for one of those "authentication service
>>>>>>>> providers", what exactly would we need to support that we don't already?
>>>>>>>>
>>>>>>>
>>>>>>> I am writing a draft. The short answer is almost nothing. But not
>>>>>>> nothing.
>>>>>>>
>>>>>>> The longer answer is that we need to have:
>>>>>>>
>>>>>>> 1) A detailed explanation that puts ALL the information needed to
>>>>>>> implement against the profile in one place. I am working on an Internet
>>>>>>> draft to do exactly that.
>>>>>>>
>>>>>>> 2) A discussion of how to best present the scheme as something whose
>>>>>>> primary purpose is as an authentication provider rather than an account
>>>>>>> with one social media property that can also be used elsewhere.
>>>>>>>
>>>>>>> 3) A discussion of how to use the DNS handles to enable end-to-end
>>>>>>> secure messaging. If Bob is reading a comment by Alice under @
>>>>>>> alice.example.com, that is the handle he is likely to want to use
>>>>>>> to message her.
>>>>>>>
>>>>>>> 4) A discussion about what else we might want a DNS handle provider
>>>>>>> to support. I have a prototype running that extends to supporting the IoT
>>>>>>> requirements raised in SETTLE.
>>>>>>>
>>>>>>> Right now, we have 'a' way to do this which is not necessarily the
>>>>>>> best way or the way that allows us to grow in all the ways we might want in
>>>>>>> the future.
>>>>>>>
>>>>>>> I have a history of being able to market protocols and get them into
>>>>>>> widespread use. I haven't always been successful but have more successes
>>>>>>> than failures and I think I know what it takes to make DNS Handles widely
>>>>>>> used, which businesses I need to approach, etc. etc.
>>>>>>>
>>>>>>> The reason I am raising this here now, is that before I go round to
>>>>>>> the DNS registrars (and their affiliates) and the VPN providers and such to
>>>>>>> say this is the thing to do, I want to make sure we have everything
>>>>>>> straight at a technical level so we are all on the same page.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>

v2.29.0 | Report a Bug | By Email | System Status