Re: [OAUTH-WG] OAuth in the news again....
Nat Sakimura <sakimura@gmail.com> Tue, 02 December 2014 00:35 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D6A1A912F for <oauth@ietfa.amsl.com>; Mon, 1 Dec 2014 16:35:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82jV-nOxA9eM for <oauth@ietfa.amsl.com>; Mon, 1 Dec 2014 16:35:51 -0800 (PST)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 121AD1A1AC6 for <oauth@ietf.org>; Mon, 1 Dec 2014 16:35:51 -0800 (PST)
Received: by mail-ig0-f169.google.com with SMTP id hl2so15454267igb.0 for <oauth@ietf.org>; Mon, 01 Dec 2014 16:35:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=2wg+7rw4TO3ezmm4fux/pIzRxJGoki2WyT/gOSOB3As=; b=cz6PLEFxBnCLmkoQkK1uZxUKDfUBZVokgaaUMfWbCGGN8JH4eTqC7JcenSDhMHg444 NRrBjtOHzVXiH/LhHUHA2ODAs8bMHBoNZUMwB5RZVES4pe/6jMw2ops9LRbX7sDKKPJl Ou2uHwOq3LAZzdwa895XVBU1NjyptUnh0/AecsDp/NQvMSJ1VwHOfkvhrnfndoyNtFN1 nz0C8LFJ/V82ADSqeaV6uL0leRfwv/NO1o8Kg0Zcxltzuejl8OWodGUrjKtTEsoiDFje K4dKtkNw6QwhfT1In+zt7q9UM5KAZF597wGHxUJUVaKEu9waTEG6iW5lnuboLX7Llwbe oq5g==
X-Received: by 10.42.146.201 with SMTP id k9mr553018icv.54.1417480550062; Mon, 01 Dec 2014 16:35:50 -0800 (PST)
MIME-Version: 1.0
References: <547C9669.3060802@gmx.net> <7B8DD27E-A180-4A13-869E-884F01E2DE36@ve7jtb.com> <547CBA40.3080004@gmx.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 02 Dec 2014 00:35:49 +0000
Message-ID: <CABzCy2BNSj7-37F9DkTawTBHUn5y98pHv2p0feDO5CM7635L7g@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="90e6ba613b66a9a39e050930e80b"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ZhkieQWKVrPoDmfwplTFneDvb3E
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth in the news again....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 00:35:54 -0000
The article is mislead in multiple ways. At its heart, it has nothing to do with the OAuth but the problem of explicit consent model, that people are trained to click "accept". Apparently, she did give her authorization to pull her profile to create Zoosk account. She did the on-the-fly provisioning to Zoosk, but this was "without her knowledge" because she clicked "accept" without reading. This is where consent receipt type of idea becomes more helpful. Cheers, Nat On Tue Dec 02 2014 at 3:58:28 Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Yes, this is the story. Sorry for including the wrong link. > > We can find out what the issue was but that wasn't necessarily my point. > > The problem is that there is unfortunately little understanding about > the different layers and responsibilities involved. I think there is > something to write about and I will compile a first draft. > > Ciao > Hannes > > On 12/01/2014 06:51 PM, John Bradley wrote: > > Hannes, > > > > I think this may be the link you were trying to share. > > http://www.cbc.ca/m/touch/news/story/1.2844953 > > > > I suspect the problem was the profile ID leaking via a ad rather than > anything to do with OAuth > > as she never logged in. > > > > John B. > > > > > >> On Dec 1, 2014, at 1:25 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >> > >> Hi all, > >> > >> I fear we have to write another article to clarify what OAuth does and > >> what it does not do based on the misinformation spread with this recent > >> article: > >> http://www.techopedia.com/definition/26694/oauth > >> > >> A quote from that article: > >> " > >> Graham Williams, a Vancouver-based technology expert, points to what is > >> known as an "open authentication protocol" — or OAuth — where people > >> often unwittingly share personal information with third-party websites. > >> " > >> > >> Ciao > >> Hannes > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth in the news again.... Hannes Tschofenig
- Re: [OAUTH-WG] OAuth in the news again.... Kathleen Moriarty
- Re: [OAUTH-WG] OAuth in the news again.... Bill Mills
- Re: [OAUTH-WG] OAuth in the news again.... John Bradley
- Re: [OAUTH-WG] OAuth in the news again.... Phil Hunt
- Re: [OAUTH-WG] OAuth in the news again.... Hannes Tschofenig
- Re: [OAUTH-WG] OAuth in the news again.... Nat Sakimura
- Re: [OAUTH-WG] OAuth in the news again.... Bill Mills
- Re: [OAUTH-WG] OAuth in the news again.... Nat Sakimura
- Re: [OAUTH-WG] OAuth in the news again.... Bill Mills