Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 24 February 2021 05:47 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC5CF3A0ED3; Tue, 23 Feb 2021 21:47:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5rUxqijq_4t; Tue, 23 Feb 2021 21:47:15 -0800 (PST)
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB1A43A0ED1; Tue, 23 Feb 2021 21:47:14 -0800 (PST)
Received: by mail-yb1-f179.google.com with SMTP id b10so732917ybn.3; Tue, 23 Feb 2021 21:47:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ksiww6hwtr+xTib2C0d/Ekmde5mKhPX2aWNQupDCx/s=; b=CNAh9woN+8vRb3TwEy6ikGoVFtqAspMeki74Oto1WMXi5lnPr2yykApzgyrfQ1AlLt +pTFoCXUSIS8kurs7ev9YTYWJubmSzpFT4aA17TuvfFubFyiwfmNuj4LxuHqx8Trov69 gx6im4XexpS6b6ShR+mRq5LGlFitm/3ixMrUcNIw09d8AcHZmcKuhQsfIZeBIzvb/zSh BPkN+t4+y3FaoftIc12NpwOAA5DhhM7V888vgydwN3g3NUBSweKjzrQN6An1tlqBz8xY HQV07hdC8FoUic0RseWQg0lxygG8pLDJ9GT8E3x/h5gIqmRJMBnHau705tgKwUygSmOZ q6jA==
X-Gm-Message-State: AOAM532Xomz0PIk0qC0GWn3IT/DzxUyoHWrtzbQ7Pq7hHE58+dP5YKNw Tfp7RQrm/sS7EniU9aEwLUK2KULTvt5Yc5Zff9E=
X-Google-Smtp-Source: ABdhPJx50qw4+0Cj13hEXO8AyCBkB9LaD6o3lcMlFh4uh7sYCKZe+Ly1MDGM/uljINVsBgcBFUd+mZqWso/qULne+Xc=
X-Received: by 2002:a25:dbc6:: with SMTP id g189mr36082170ybf.273.1614145633717; Tue, 23 Feb 2021 21:47:13 -0800 (PST)
MIME-Version: 1.0
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <CADNypP8GKTY-Jhpb6AEfcpXOihwLap7OrrByNemGc2GNvZLeog@mail.gmail.com> <10fd9d2d-afb4-44aa-b618-fb5ce1efa69e@dogfood.fastmail.com> <c21477c8f68047cabac7aeae60a688f2@cert.org> <CAHbuEH7Qvc3AaBxbk1kXd4knS4_+Wrs3P7WNETRNNoFP-dGNCA@mail.gmail.com>
In-Reply-To: <CAHbuEH7Qvc3AaBxbk1kXd4knS4_+Wrs3P7WNETRNNoFP-dGNCA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 24 Feb 2021 00:47:03 -0500
Message-ID: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Roman Danyliw <rdd@cert.org>, "ietf@ietf.org" <ietf@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d131005bc0e913d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TYQyrkMFwpvoU5k1l4GH0ZSQGz0>
Subject: Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 05:47:17 -0000

I am worried by the advice 'use OAUTH' but for a very different reason.

OAUTH and SAML are both attempts to provide a secure authentication scheme
that works within the very particular and very peculiar environment of Web
browsers. They are schemes that necessarily involve techniques that are
rightly regarded as alchemy if not outright witchcraft.

That is fine, that is more than fine if you are developing an
authentication scheme for use within Web browsers (or if you are developing
whatever SAML and OAUTH are these days, neither was originally billed as
authentication). But it is completely inappropriate to ever suggest let
alone demand that anyone use a technology whose primary design constraint
is to work around the voodoo of Javascript, URIs, HTTP cookies etc. etc. in
an application where none of those legacy issues apply.

One of the big problems of IETF is that a lot of people don't think about
how to get their scheme deployed and when they do, their plan is to tie it
to some other group as a boat anchor. Back when we were doing DKIM and SPF
we had to tell certain DNS folk that the fact that almost no DNS Registrars
offered customers the ability to specify new RRTypes was their problem and
was going to remain their problem no matter how loudly they tried to
complain that it should become our problem.

In the case of OAUTH, there is another problem in that OAUTH really isn't a
very open protocol from the standpoint of the user. I can use my Google or
my Facebook or my Twitter accounts to log in via OAUTH at a large number of
sites. But if I want to use any other OAUTH provider I am completely out of
luck. Or at least I will be until this becomes one of the multifaceted
complaints in the anti-trust hearings coming soon to a capitol hill near
you. And yes, that is a consequence of how the protocol has been deployed,
but that probably not going to get people very far on capitol hill.


The Internet is for everyone. The Internet is for end users.

I am really not that interested in who makes the ingredients except to the
extent that it determines what sort of cake emerges. One of the unexpected
side effects of Web 2.0 has been that it has greatly centralized power in
the hands of a tiny number of individuals. Individuals who are at best
accountable to shareholders, but in the case of some of them, a separate
share class ensures that they are accountable to nobody. In neither case
are the people with power accountable to end users because they are not
even customers, they are the product.

What I am interested in is the extent to which Internet technologies are
Technologies of Freedom. The question we need to ask ourselves is 'does
this technology increase end user autonomy or increase their reliance on
third parties'.

>