[OAUTH-WG] How does OAuth harm privacy ?

Denis <denis.ietf@free.fr> Mon, 01 March 2021 15:29 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B203A1E02 for <oauth@ietfa.amsl.com>; Mon, 1 Mar 2021 07:29:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8IiaXnvxLxS for <oauth@ietfa.amsl.com>; Mon, 1 Mar 2021 07:29:23 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C063A1E50 for <oauth@ietf.org>; Mon, 1 Mar 2021 07:29:17 -0800 (PST)
Received: from [192.168.1.11] ([90.79.53.231]) by mwinf5d89 with ME id b3VD2400j4zJUWJ033VDRw; Mon, 01 Mar 2021 16:29:15 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 01 Mar 2021 16:29:15 +0100
X-ME-IP: 90.79.53.231
To: Jim Manico <jim@manicode.com>
Cc: IETF-Discussion Discussion <ietf@ietf.org>, oauth@ietf.org
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <EF14E7AC-CA19-44EE-9EC6-D21A81ECA756@manicode.com> <1016085528.105908.1614610785506@appsuite-gw1.open-xchange.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <5681917b-2496-7965-3047-773f46522ed2@free.fr>
Date: Mon, 1 Mar 2021 16:29:12 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <1016085528.105908.1614610785506@appsuite-gw1.open-xchange.com>
Content-Type: multipart/alternative; boundary="------------6B791F71925D5E6409DF5AB8"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Shxilzlf2xt7TBPpVlpziZJrRdI>
Subject: [OAUTH-WG] How does OAuth harm privacy ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 15:29:26 -0000

Hello Jim,

Since you dared to raise the question: "*How does OAuth harm privacy* 
?", I need to respond. I changed the tile of the thread accordingly.

With OAuth, the RS must have a prior relationship with the AS (which is 
not scalable). When the client calls the AS,
the AS is able to know which is the RS and then is in a position to know 
which end-user is likely to access which RS.

When furthermore *token introspection* is being used, the AS is in a 
position to know exactly when an end-user
is performing an access to every RS. Some people would say that the AS 
is able to act as *Big Brother*.
While this might be acceptable within a single domain (i.e. all the 
users, ASs and RSs belong to the same organization
or company), this is a serious concern if/when used in general over the 
Internet in a multi-domain case.

Since the access tokens are considered to be opaque to the clients (and 
hence to the end-users), a client is not supposed
to verify which privileges have effectively been inserted into an access 
token, in particular whether a unique identifier
that would allow the RSs to correlate the accounts of their users has 
been maliciously added into every access token.

In your email you wrote:

    I don’t see how moving from handing your creds over to a third party
    to OAuth2 workflows, harms either privacy or security.

I hope that the facts mentioned above will allow you to see that OAuth 
does harm the user's privacy.

Denis

>
>> Il 01/03/2021 15:13 Jim Manico <jim@manicode.com> ha scritto:
>>
>>
>> How does OAuth harm privacy? 
> I think you are analyzing the matter at a different level.
>
> If you start from a situation in which everyone is managing their own 
> online identity and credentials, and end up in a situation in which a 
> set of very few big companies (essentially Google, Apple and Facebook) 
> are supplying and managing everyone's online credentials and logins, 
> then [the deployment of] OAuth[-based public identity systems] is 
> harming privacy.
>
> Centralization is an inherent privacy risk. If you securely and 
> privately deliver your personal information to parties that can 
> monetize, track and aggregate it at scale, then you are losing privacy.
>
> -- 
>
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com  <mailto:vittorio.bertola@open-xchange.com>  
> Office @ Via Treviso 12, 10144 Torino, Italy
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth