Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Phillip Hallam-Baker <> Mon, 01 March 2021 20:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 61CBF3A223C; Mon, 1 Mar 2021 12:11:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PME92dYII2WF; Mon, 1 Mar 2021 12:11:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EFB393A223A; Mon, 1 Mar 2021 12:11:57 -0800 (PST)
Received: by with SMTP id h82so4490811ybc.13; Mon, 01 Mar 2021 12:11:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s6LxBxVwzBte1ZpW/ei+xsj0ZQEHH06LDKHBzCQMFDk=; b=LZscb7eHa2L2OAmZ1dEaTTi0Zu51/xZ/L2ZDdWJ+VZ78RVkDBvgfOSUbtmNCOlsn8V Ia1EYmdYfaxQrI+9TRA/6ZZWCVFXhfP1x5IUfeofYH200EOsPe0V8F1DMXCEj36BdYDU 9BEWszHpLOwjaFjNO4xTqM7ZoNFuKwAVN5BIHFxSOSQPEJiOPxD3hTjAHj9ysG7RM5Jc W+v0+/P8z59k0AXSxt4Xya2CtLPmrxBkoOb4RYjISDCDHXmfzKn339N+UHFfVrK/HVqr 3pCsG6huEevAKP4sf2863zF+jv6J/ZSwric7FjqZdKejFQa5rEHtNZiBKJJHgCj4lKTl Pdow==
X-Gm-Message-State: AOAM532bxaUS0H49D6lrY1Lh5ao2R8beI5H0nlmKL2ojbQH7XPkhpRpz B9ejAEPtPvuEBRtrwEKZBJuI269jJ/soo1x9adshXp5Cm8Q=
X-Google-Smtp-Source: ABdhPJyrp5Z5fDQVvGsY3Jm6w9mx2FLQwb22TDBwF+jF74HKkSftL96hX08aPjQH15+uQCdFusyzwDCZtyFXGOIfGR8=
X-Received: by 2002:a25:ad67:: with SMTP id l39mr26282598ybe.172.1614629517173; Mon, 01 Mar 2021 12:11:57 -0800 (PST)
MIME-Version: 1.0
References: <CWXP265MB0566C4B21C45E760B1BFED7FC29A9@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Mon, 1 Mar 2021 15:11:46 -0500
Message-ID: <>
To: Phil Hunt <>
Cc: Jim Manico <>, IETF-Discussion Discussion <>,
Content-Type: multipart/alternative; boundary="000000000000d0a77205bc7f3a45"
Archived-At: <>
Subject: Re: [OAUTH-WG] Assessing the negative effects of proposed standards
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Mar 2021 20:11:59 -0000

Lets take a step back. There are two separate sets of concerns related to

1) Disclosure of an identifier allows a service attack using that

2) Linking separate uses of an identifier allows a profile to be
constructed of the individual that can be used against the interest of the

The reason I insist on this distinction is that privacy issues of the first
type are a consequence of crappy protocol design. There is absolutely no
reason why giving someone my bank details so they can send a payment TO me
should give them the ability to withdraw money from my account. But it does
and the banks will smugly gaslight that it just isn't possible to fix this
elementary flaw in their information architectures. And you can guess where
it came from if you hear the question being asked in the relevant Senate
hearing of the form, 'Mr CEO, you say that it would be impossible to make
this change, what size of penalty per loss are we going to have to impose
on your bank to make it cheaper for you to fix it than to claim it can't be

It should be possible for Madonna or Lewis Hamilton to put their personal
contact info on their Web sites without ending up being spammed to
oblivion. It is just a question of access control.

The second is a really difficult problem but authentication is only one
small part of it. I can turn out a public key authentication scheme that
allows Alice to surf the web at Bob and Carol's site without them being
able to tell its the same person from the identifier easily enough. But all
bets are off if Bob and Alice collude.