Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 78
Jerry Leyendecker <jleyendeckeratx@gmail.com> Wed, 24 February 2021 11:55 UTC
Return-Path: <jleyendeckeratx@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 968373A1487 for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 03:55:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fF8ITgoHeUB for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2021 03:55:24 -0800 (PST)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49DA43A148F for <oauth@ietf.org>; Wed, 24 Feb 2021 03:55:24 -0800 (PST)
Received: by mail-ej1-x631.google.com with SMTP id t11so2573249ejx.6 for <oauth@ietf.org>; Wed, 24 Feb 2021 03:55:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=BZpDP22elGxf+Oy5axkpyEkwqQlq+bExgFIhOdRptbE=; b=P/hIU159i58J4KYg7WUvYF8OuMaYk930t7VY8dTfvFgpx4ZrZz469/5Md4FdNeDPW9 VAfQdnB1TD6F9U9jLwiVPrz43b7IXSmoBbp7vv2+vSkqK1MrffH1vt95V0oSXkr+4NyT CSxWfTD3qrgdXkxYtw5WjtIf34/9PSWrHW+UhC8PNwDY2iDQ79HY8Y+gC0XOpR9mDUQm KW/2u4v7rbcFIzxvqTc4mY60fOtaRqlJA56U8pFbPIj1rLI1A9e0MXaDAZ+1CvzWsByD R1VE9CI5ZKMehJvTYOoqODomG6dKARroN1lhLg2LjANqffr7XZOlNoeKzdbQR8CpjKoh H95Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=BZpDP22elGxf+Oy5axkpyEkwqQlq+bExgFIhOdRptbE=; b=acDAtZq9fFdrs2ah8m5FmnfmCyof0uOugVgbMctKrzvyePMVU39ITnlQPLKtPPbfmt QPzGD0MUI4bSESuV+RulFhcNESfH/3m5DWP4R0XrF+Nw46mPtmak0hh+DRVs2xht26Zk ZFFyzJhjn7UirrD855170Lv2bh4CqRPFdEIrHkfQ6fQEZHqFXXm4l2IVPDIepPqolrnr CizOVlwgaaf4QU2RhrSoRwCUXjqRTgzZ0+ylKq+jD0fWqwVikYgTYtFI9sglJUp2uoT0 cvGjOYAG6Emy25LzNTRM5rbkfd8RKSm1M10mfvZmw/V6Y1DipQ+nKuL4d+0EoJ4KsVcn iLTg==
X-Gm-Message-State: AOAM530cigVM4uZL7lwZoqX9v0H55Rftm6PeVwzhk4ApnUCAIq/b6zun fGWtl2n7vqjHB+TGDRpTht4bnBETwfiiUu0F19YVO1oCg/c=
X-Google-Smtp-Source: ABdhPJxYbfQC+DwwBWXiJ/CftmqYdn00zbTVXvRsL5BCrrNqZOWoaf7Tdpc8oSpV8nK1/X3Qf9Kfz80+vKS6hRB2pBs=
X-Received: by 2002:a17:906:a896:: with SMTP id ha22mr2955675ejb.503.1614167722270; Wed, 24 Feb 2021 03:55:22 -0800 (PST)
MIME-Version: 1.0
References: <mailman.2168.1614166798.6343.oauth@ietf.org>
In-Reply-To: <mailman.2168.1614166798.6343.oauth@ietf.org>
From: Jerry Leyendecker <jleyendeckeratx@gmail.com>
Date: Wed, 24 Feb 2021 05:55:13 -0600
Message-ID: <CABv2g9ygJdDQrnbCeZchPBySYZdHL7Bp32qO2ameK0nJB_X2xA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b1a3ba05bc13b5ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/V2qPvuXtZb6n5es8vhunf2JPecw>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 78
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 11:55:28 -0000
My Name is Jerry L Leyendecker. could you please explain to me how, why, and what am I suppose to be doing as litigating OAuth please. That would be great. On Wed, Feb 24, 2021, 5:41 AM <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: We appear to still be litigating OAuth, oops (Carsten Bormann) > 2. Send me the autherized paperwork (Jerry Leyendecker) > 3. Re: We appear to still be litigating OAuth, oops (Warren Parad) > 4. Re: We appear to still be litigating OAuth, oops (Bron Gondwana) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 24 Feb 2021 11:36:13 +0100 > From: Carsten Bormann <cabo@tzi.org> > To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> > Cc: Bron Gondwana <brong@fastmailteam.com>, Phillip Hallam-Baker > <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, > ietf@ietf.org > Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops > Message-ID: <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> > Content-Type: text/plain; charset=utf-8 > > On 2021-02-24, at 11:22, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> > wrote: > > > > Should we solve the NxM problem, and if so, how do you propose we do > that? > > Let GNAP do that. > > Gr??e, Carsten > > > > ------------------------------ > > Message: 2 > Date: Wed, 24 Feb 2021 04:41:40 -0600 > From: Jerry Leyendecker <jleyendeckeratx@gmail.com> > To: oauth@ietf.org > Subject: [OAUTH-WG] Send me the autherized paperwork > Message-ID: > <CABv2g9z5TL-6z= > 64B6sJZODa8Kj0TNzkFAwB5_jdU5SBhUZcmg@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Approved > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210224/6c850fa3/attachment.htm > > > > ------------------------------ > > Message: 3 > Date: Wed, 24 Feb 2021 12:04:40 +0100 > From: Warren Parad <wparad@rhosys.ch> > To: Carsten Bormann <cabo@tzi.org> > Cc: Bron Gondwana <brong@fastmailteam.com>, Phillip Hallam-Baker > <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, > ietf@ietf.org > Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops > Message-ID: > < > CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I would prefer Bron to answer that question, as they are the one who > started this email thread. > > However let's look at GNAP, I've honestly been struggling to understand at > least one fully documented case that GNAP supports. It seems in every > document the only thing that is clear is GNAP wants to allow "everything", > doesn't actually talk about an example. > > By NxM, I assume we mean that the end user or client is free to select > whichever AS they want, in a way which the RS can verify the AS credential > and the user identity, without the RS having to (and really without the > ability to limit) which AS are allowed. > > Would you agree with that statement? > > Warren Parad > > Founder, CTO > Secure your user data with IAM authorization as a service. Implement > Authress <https://authress.io/>. > > > On Wed, Feb 24, 2021 at 11:36 AM Carsten Bormann <cabo@tzi.org> wrote: > > > On 2021-02-24, at 11:22, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org > > > > wrote: > > > > > > Should we solve the NxM problem, and if so, how do you propose we do > > that? > > > > Let GNAP do that. > > > > Gr??e, Carsten > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210224/dbb69cff/attachment.htm > > > > ------------------------------ > > Message: 4 > Date: Wed, 24 Feb 2021 22:39:11 +1100 > From: "Bron Gondwana" <brong@fastmailteam.com> > To: "Warren Parad" <wparad@rhosys.ch>, "Carsten Bormann" > <cabo@tzi.org> > Cc: "Phillip Hallam-Baker" <phill@hallambaker.com>, "oauth@ietf.org" > <oauth@ietf.org>, ietf@ietf.org > Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops > Message-ID: <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> > Content-Type: text/plain; charset="us-ascii" > > On Wed, Feb 24, 2021, at 22:04, Warren Parad wrote: > > I would prefer Bron to answer that question, as they are the one who > started this email thread. > > You can also use he when talking about me, or she for that matter - I do > enough group fitness classes where it's roughly assumed that the entire > class is female, and I have an ambiguous enough name that I'm used to it. > Most people use "he" most of the time. > > > However let's look at GNAP, I've honestly been struggling to understand > at least one fully documented case that GNAP supports. It seems in every > document the only thing that is clear is GNAP wants to allow "everything", > doesn't actually talk about an example. > > That's my biggest fear for GNAP - it too will try to be everything to > everybody and wind up being nothing to nobody because the super flexible > "everything protocol" is the same as no protocol at all, since you have to > special-case everybody you talk to anyway. > > > By NxM, I assume we mean that the end user or client is free to select > whichever AS they want, in a way which the RS can verify the AS credential > and the user identity, without the RS having to (and really without the > ability to limit) which AS are allowed. > > Let's get down to use cases then, rather than talking in abstracts. > > I'm an end user with a copy of {The Bat email client} and I want to > connect it to {Gmail} + {Yahoo} + {My ISP}. It supports {POP3}, a widely > popular open standard. I want to be able to authenticate to each of those > services without saving my plaintext passwords on my hard disk where the > next {Windows ME} virus will exfiltrate them to {Noextraditionistan} and > all my {Dogecoin} will then be exfiltrated from my {Paybuddy} account, > leaving me destitute. > > But, {The Bat} doesn't have a trusted client cert from my isp, because who > does - so there's no good protocol for me - it's either plaintext auth, or > it's some architecture astronaut multi-party nonsense that's massively over > specified and doesn't work half the time. So I write a plain text password > on a post-it note which is lying in the dust under my monitor because the > glue has gone bad, and I hope I never accidentally click "remember me" when > I type it in. > > That's been the reality of the end user experience for very many years. > > NxM means that you can authenticate an arbitrary client against an > arbitrary server so long as they are both speaking a known public protocol, > without needing to build a trust relationship between the client vendor and > the server vendor first. > > Any "trust relationship" is made through a user both who trusts the client > and trusts the server, and it's not transitive over to other users of the > same client and the same server. The client author doesn't need to get a > signed "I trust you" from every single server, and the server author > doesn't have to go identify every single client. > > That's what NxM means to a user, the ability to use arbitrary clients with > arbitrary servers so long as they both implement a documented protocol. > Interoperability. > > OAuth has not given interoperability in the NxM sense outside some simple > web use cases. They're nice and all, but they don't tend to be useful with > open protocols - OAuth gets used for accessing proprietary API endpoints > after getting an access key for a single provider. At least you get Nx1 or > 1xM out of it depending who's the N and who's the M, and maybe some of your > code can rhyme so you're not doing everything from scratch each time. > > This is the sorry story of real open protocols. The floor for true > interoperability is still username + password over cleartext, over > hopefully a TLS tunnel that's providing some level of protection. Most so > than a few years ago when Fastmail wrote our "starttls considered > harmful"[1] objection to the IETF's habit at the time of putting a > "STARTTLS" upgrade into an initially plaintext protocol, where an active > intercepter could just strip the "I support STARTTLS" indicator from the > protocol and convince the client to send the credentials in the clear. > > We're a little better mostly these days, but it's still a tirefire, and in > my heart I do hold the OAuth working group's squatting on this area of the > landscape while failing to address this burning need partially > responsible. The result (as Phillip pointed out upthread) has been a > consolidation towards a few big players - because NxM becomes tractable > when you reduce the N and M to small enough numbers. > > Bron. > > [1] > https://www.fastmail.help/hc/en-us/articles/360058753834-SSL-TLS-and-STARTTLS > > -- > Bron Gondwana, CEO, Fastmail Pty Ltd > brong@fastmailteam.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20210224/c559b617/attachment.htm > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 148, Issue 78 > ************************************** >
- Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 78 Jerry Leyendecker