IETF Logo Mail Archive

[OAUTH-WG] Re: DNS Handles

Warren Parad <wparad@rhosys.ch> Tue, 21 January 2025 18:37 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CC8C1D4CE5 for <oauth@ietfa.amsl.com>; Tue, 21 Jan 2025 10:37:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVhH17yoaKQ4 for <oauth@ietfa.amsl.com>; Tue, 21 Jan 2025 10:37:47 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE613C1DCDE3 for <oauth@ietf.org>; Tue, 21 Jan 2025 10:37:47 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5d90a5581fcso10591566a12.1 for <oauth@ietf.org>; Tue, 21 Jan 2025 10:37:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google2024; t=1737484666; x=1738089466; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=J2rIZ3nZyvsFHmxbWh/KjPO9IHO9Kvx/afvsKcR6Qlg=; b=lPiY9WxupbT8KUP+1spdyzbAnvMsofdXSmhPtPotn2jWL0FwPsYEF4xB+7XtC83R62 V6NpYlRYpQGX9Q7jCAwY9SbtolzMztb1wTgJ9fQZoC9wP6AXLwJViJsXqVkdzsn52vZp 77Nwf2JQZHHxLfp6KimUFQoN8s86CPiLBYiFnfB2v3s46HAFUlgNP2D6gWGTNu4zoGoQ sPWrIsCWGhLZFtme/TWX6YxuyN6EB1AYQyKaznZdQDXz1lag59cYcI+Xf3G86gBtxZJv U+ORzpclcalSXvh6bGyv0z4U8eBdZ7ClU0ThuOdY9ol5K+o3Hn3OOU3MAHE8VARdhgSV LNYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737484666; x=1738089466; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J2rIZ3nZyvsFHmxbWh/KjPO9IHO9Kvx/afvsKcR6Qlg=; b=X0HZ2cJWutnwNCr6AM+gY5uzQDLC7eAd4CGB4xwZAFkQ+o+fpPfphtZX6PQz8H5vmj M4zdfkVX5gLli0NaFDisdtZuAs/5CN3AT/M4qnII6VCCNm6fY9mTUwA315CM/Fh50rIG cZDw1tcGBJDCfDwTKlJKUiRbwiSJtUNxKXDIi61x2I/mtBSi9fokpdz/C1u14f87jHMr /Jj32BxzL/ooSTnbx2QVjvuzaa2Au8aed907kmmI6nbriMvE2bpKl0gbK8veY9CUgqDI ZI+nILhShRABFPhzsQHvWJ3M58G4RHYb2e0jAwYi0d+1gTdaseNxUXXuuSiwzw2AzAJv MsNg==
X-Forwarded-Encrypted: i=1; AJvYcCX/pN35mEh08yNK76MUuKWzvnZ88JcHfZKLG3FP+Vyoee4CmGpM74GrNlCPZ32VwPGKzioQuQ==@ietf.org
X-Gm-Message-State: AOJu0YwiJoL+QSt1upDwSO9lbXB3O9CrzjPd9kfkUM2O8yzYKz1i1CD1 NEK7wNE5HDVRy/ur1iiR9PVFdfwOw6wv2CT39MXDG3YfjQjj/Q8lirbeaO8/K5zIMAS/lNnYawe GR0owZjDFrqU3glATbS9WRXh/+emNMiHg2hqV
X-Gm-Gg: ASbGncul8UcZne2dtBKFNw8WSI4wPjftmNKhBB94PPO65FwQZXZBtTX25ujerZoeYJw Ps8uTH9wxOV10TI61o/mrVC0AQAm1eMZamY17n/u4Dess1Xqcctc=
X-Google-Smtp-Source: AGHT+IG67b2cSH1mB8sCDyr/WIIIzxXFvQGIbCkesEO6b7g6fmloEskCwsLLTQIqP5LeV33d4ImAkxvcmhu/0CuAwsw=
X-Received: by 2002:a05:6402:51ce:b0:5d0:e63e:21c3 with SMTP id 4fb4d7f45d1cf-5db7d2f8612mr14638005a12.14.1737484666087; Tue, 21 Jan 2025 10:37:46 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwgykk+B2UspfXBcLipFiTifNBf-WG-DeXPpWT39syqqVg@mail.gmail.com> <CAD9ie-tYsCODGfNTBDZgr46s4O4B9-u79jR=G10y4sN5HBiKgQ@mail.gmail.com>
In-Reply-To: <CAD9ie-tYsCODGfNTBDZgr46s4O4B9-u79jR=G10y4sN5HBiKgQ@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Tue, 21 Jan 2025 19:37:35 +0100
X-Gm-Features: AbW1kvZwolVsJlOEOGDRdBSWvD4D2r5mEQdSLPb5m0hbvLCQNqOBVuW5TMNgaaY
Message-ID: <CAJot-L2KevzbzqqqPWGbMQF3X=_eKfgN3amFs5D=rn16aL97qA@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="000000000000534c3b062c3bacc8"
Message-ID-Hash: GS66Q4YHHQULYSXR6MK4YY62ZIFZYVNK
X-Message-ID-Hash: GS66Q4YHHQULYSXR6MK4YY62ZIFZYVNK
X-MailFrom: wparad@rhosys.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Phillip Hallam-Baker <phill@hallambaker.com>, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: DNS Handles
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hdtk9bvXl2xz1X63AuVJD8RX-jo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Phillip, can you concretely share an actual issue though? E.g. What is the
standard and what exact problem does it solve? From my naïve perspective, I
don't see how you are requesting anything different from what OAuth already
is exactly providing.

Maybe one particular you might not be aware of is the effort by the
browsers, and honestly, mostly by this WG to make FedCM solve what I
believe is more than 100% of the problem space you might be talking about.
Are you familiar with FedCM?
https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API

On Tue, Jan 21, 2025 at 7:32 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> From a privacy perspective, using a correlatable identifier across all
> sites simplifies tracking to the detriment of the user's privacy.
>
> The other concern with this approach is control of the identifier is
> control of your identity. How does my mom get back control?
>
> We have similar issues with email, which is by default how people login to
> most sites and do an email loop to prove control of their identifier if
> they (or the attacker) does not have the password.
>
> On Tue, Jan 21, 2025 at 5:26 PM Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>> As some of you are probably aware, BlueSky makes use of OAuth2 as their
>> primary authentication mechanism with one important divergence from the
>> established use pattern: account identifiers are DNS handles.
>>
>> I have been looking at this approach in some detail and I think that just
>> as 90% of the Web was not new but contained the missing pieces that
>> completed the puzzle, the use of DNS handles may represent a similar step
>> forward for OAuth and much much more.
>>
>> As I see it, there are two types of DNS handle, personal registration
>> handles under a name held by the user. I have hallambaker.com so I
>> issued myself @phill.hallambaker.com. Most users don't have a DNS name
>> so they make use of 'at will' handles that are provided by a service
>> provider. Right now, that is pretty much limited to Blue Sky (I also
>> have @hallam.bsky.social). But what if the use of DNS handles became the
>> standard way to do OpenID instead of being limited to an account with the
>> provider cartel? What if I could use my DNS handle to log in anywhere?
>>
>>
>> I have been working on this and have developed code that puts up a social
>> media forum entirely disconnected from BlueSky and the ATprotocol but
>> allows use of the same handles. So once I have the site finished, you will
>> be able to comment on my personal blog at https://phill.hallambaker.com/
>> using the same account you use for BlueSky. And you will be able to comment
>> on the specs and join in private forum discussions at mplace2.social.
>>
>> And when I started, that was really all I was looking to do plus work out
>> how to use the same mechanism with the end-to-end secure personal
>> communications scheme I have developed. If Alice is using @
>> alice.example.com for social media, isn't that the obvious handle to use
>> to reach her for direct messaging? And if she accepts a contact exchange,
>> shouldn't I also be able to send her email and drop files? how about using
>> the same handle to set up a MOQ video chat?
>>
>>
>> What this gets us to is a place where there is a big incentive for users
>> to get themselves a multi-purpose DNS handle for their personal internet
>> identity. Ideally of course, this is a personal registration allowing the
>> user to change their service provider(s) at will without switching costs.
>> But even an at-will handle is making them independent of the provider
>> cartel.
>>
>> And we can go further, I have code that automates management of IoT
>> devices under either type of handle. So I can buy a coffee pot, onboard it
>> to my personal set of devices and set it up with the DNS record entries and
>> certificates to reach it as coffee.hallambaker.com - all by scanning the
>> QR code and giving it the name 'coffee'.
>>
>> As with the Web, 90% of what we need to make this happen already exists -
>> OAuth, OpenID, DNS Update, ACME, I am just writing a profile that takes
>> very large specs and chops out bits to choose a single way to do things. As
>> you would expect, I am filling in some of the gaps using code I have
>> written for the Mesh but we could use Signal protocol instead - if the
>> provider was willing to open up its walled garden.
>>
>>
>> I believe the above represents a compelling value proposition. But as I
>> got into documenting, I started to find more and more opportunity.
>>
>> Let us imagine that we rejigger the current ATprotocol spec for DNS
>> handles slightly so that we make the authorization service a first class
>> party rather than being assumed to be a service provided by a particular
>> content provider. Let us also give it a new name (I am currently
>> using @nywhere) under which this particular log in trope can be recognized
>> and assume that it is widely supported as a means of logging into content
>> providers across the Internet.
>>
>> In that scenario, I could log into my authentication provider once in the
>> morning and that would give me access to all the content properties I need
>> access to across the Web. And that provides an antidote for the current
>> trend towards absurd and obnoxious demands for 2FA to access assets that
>> are ultimately worthless. No, a crappy Web store does not need me to create
>> an account for me to browse their wares and it certainly doesn't need to
>> demand me respond to an email callback.
>>
>> If I have a single authentication provider, then it can authenticate me
>> once in the morning and I am good to go for the day. And we don't need to
>> be limited to the limited capabilities of authentication schemes that work
>> across HTML/HTTP. We can use biometrics, etc. etc.
>>
>> This gives us a route to get rid of passwords that is actually deployable.
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.38.3 | Report a Bug | By Email | System Status