[OAUTH-WG] Re: oauth-selective-disclosure-jwt Pull 451 is insufficient

Tom Jones <thomasclinganjones@gmail.com> Thu, 22 August 2024 17:15 UTC

Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD24CC151062 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2024 10:15:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Y2wnEFxGzij for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2024 10:15:08 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB6DC14F5FB for <oauth@ietf.org>; Thu, 22 Aug 2024 10:15:08 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2f3f90295a9so11061851fa.0 for <oauth@ietf.org>; Thu, 22 Aug 2024 10:15:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724346906; x=1724951706; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=c/SahTWO0zEbxejwuY6Rv6/6DI7Uh83EDgxgfuJF4kk=; b=M7h/e7WTQrj6qve8CNIAahf9FXQV8EQv82Cf0iGMjyXQ6fJGRlrdWecyQCMKzIm/hY E0alDJ0YkzerVxoxNguTgBaBc1dj+x+57jfc9r2xHyfjl0BicMQuo1+dom83IqoSo/6E MX7xL6ninLubdk1V+5CSdHnP4UayTpxNZrUn0CfeYTZpjKVe33YIPKbqCNne1QtLCTWq 2WckgRGEU4LciYSC4dwQPrw2OJPGAx87tcdcd+3P8JX0EsEnos+q6fIDsEkQqSUBHr1d X3xwmvGXac4BmdtMj/RXYoxEeVuqG9sRo2ESW+JKZq1OvXgti0akBKeYOfSIBN7MMCQI 4bjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724346906; x=1724951706; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c/SahTWO0zEbxejwuY6Rv6/6DI7Uh83EDgxgfuJF4kk=; b=aFwokiaU7MOA8qUlt9p7wnp9oXyQZ2U9rN73TwsNRDGQwixW5iDLgs41mZfsmFwoEk mb3TffDYNZiaVV8BZ49oSaRE0XNwqnc59fwmxtlplY6EE5UlSKUeANP8nG77u3s3gRMj vsgFbutyuDGioT+zKLjcQiWJDkuzIiKpJVvdMmM41Lmym5rYT76/azr7jF4fEtyX/DDu JKl9RDTiGPaGdq5x7TnOFjJeWt4lt2hyZdif9cxumJe+ohfFx4g8JU/WOAuUTZDL9lhm XaW3Goz2hynZW/o6aLAbb3R4W2qEtFurcFJiT981ratcbibzczn4a9YkKu4VuECJmbkD goWg==
X-Gm-Message-State: AOJu0Yw0xoOttrcqJtiiSd4smmIfxMud13UX0H+w0GkSNhKcOKoVRbiI fIoABJd+ymYkhnfmlFxmxMeZn8/2cPGDHLh5eGxMxuVereVi1ILfrsGhyRQL7/+PSzs93ntOw8Q ixI4QahgvEUmbf5OkLEtvooLI3LQ=
X-Google-Smtp-Source: AGHT+IET987C7KMUI4jCU2OZ6B1c5B2nXGQoH4NuzCje07jGXXDHlQlXcXxB/1GEWWiVIq+lNVQZSgALQJEE7voq370=
X-Received: by 2002:a2e:be9e:0:b0:2ee:8453:5164 with SMTP id 38308e7fff4ca-2f3f871e9a6mr51136771fa.0.1724346905525; Thu, 22 Aug 2024 10:15:05 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0ck2pS2dZ37Vh7+E1dGCaWiNECeMvVsQ-HY0irr3DJ7wJA@mail.gmail.com>
In-Reply-To: <CACsn0ck2pS2dZ37Vh7+E1dGCaWiNECeMvVsQ-HY0irr3DJ7wJA@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Thu, 22 Aug 2024 10:14:54 -0700
Message-ID: <CAK2Cwb7X7rWrT5iqCpouzsparDDAdbZsJ6K-pU-ZVpjLxyJRgQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c609e4062048ccf7"
Message-ID-Hash: GNHXL5OFEAH2PV4RZJH53GGVV5PNFPGR
X-Message-ID-Hash: GNHXL5OFEAH2PV4RZJH53GGVV5PNFPGR
X-MailFrom: thomasclinganjones@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: peace@acm.org
Subject: [OAUTH-WG] Re: oauth-selective-disclosure-jwt Pull 451 is insufficient
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Qzex5xVaxFB2amhR9M5BhuVkVdo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I completely agree that education of users is not an answer to any security
question.

Be the change you want to see in the world ..tom


On Thu, Aug 22, 2024 at 10:08 AM Watson Ladd <watsonbladd@gmail.com> wrote:

> Hello,
>
> I would like to point out that the issuer verifier problem still
> remains open, even given the text in 11.
>
> The text is directionally wrong. It discusses how the issuer and
> verifier must be trusted, not what they can do together, and than only
> says that deployers must be aware and educate users. There's nothing
> actionable here, and user education doesn't work. Users cannot make
> security decisions of this nature, as we know from decades and decades
> of experience.
>
> Can we please get text that informs our readers what the issue is and
> what the risks are?
>
> Sincerely,
> Watson Ladd
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>