[OAUTH-WG] Re: Call for adoption - First Party Apps

Tim Cappalli <tim.cappalli@okta.com> Thu, 05 September 2024 14:48 UTC

Return-Path: <prvs=69782141a5=tim.cappalli@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59976C16940A for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 07:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="BUHR+2Eq"; dkim=pass (1024-bit key) header.d=okta.com header.b="zqxaprzN"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hNrw0p0TkWS for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 07:48:51 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) by ietfa.amsl.com (Postfix) with ESMTP id 6E266C169403 for <oauth@ietf.org>; Thu, 5 Sep 2024 07:48:51 -0700 (PDT)
Received: from pps.filterd (m0209337.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 485ATWC7031997 for <oauth@ietf.org>; Thu, 5 Sep 2024 07:48:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=proofpoint-2020; bh=OFMmShJyOIhmU1FKD5 OF6ehR70Z6cwPPn3zZKnJnyJs=; b=BUHR+2Eq4vLmzRoPQMdjg3A2VAFBs8sdn5 dN4jlK16o9bwegs1OUbQMPAOcD3Rif5QRvXqtW0S8d6uQYsZCMDNi02ZZg/xAlCv Ea5bFb0860wCAGVsLID1xP5nmveowqzWGgUeYKB7zNXm8kE0Ko8EoUwtzyz/7wQ+ J4ZTlEDk/uqt6zAInITY4ee4PB9AwKaenjKMnRrcx4h0+yn6tPBJ0RCZzFaVGTlC 4TLjz4xjkRtyHkZQ6VWXp8RPP0td68QD3Rnqkzk2QV6FtKNSgbExY0elMDq+nTVA ejx5K4KnNRrt+ezVXYBIlZnwF2mxXMf41YLauKGdLVTTPxjx+APg==
Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 41bymxh0xs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Thu, 05 Sep 2024 07:48:50 -0700 (PDT)
Received: by mail-il1-f199.google.com with SMTP id e9e14a558f8ab-39d52097234so27396835ab.3 for <oauth@ietf.org>; Thu, 05 Sep 2024 07:48:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=gap; t=1725547729; x=1726152529; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OFMmShJyOIhmU1FKD5OF6ehR70Z6cwPPn3zZKnJnyJs=; b=zqxaprzN3lVd1SGzCvDXvOJFTo1fzV7rdPgHciS5iqFBe+gXYBMJsmTlOtkEmYrgQq 7cIGoMfH7X12EAZ0aaFVIQgNNxnVmUtSb4eQSJng5IOaD00dD+ra22r8L4ojPxcC572s hmFe2e0e4iQCii2zWjXZBN+29Uy7RBcP3NWko=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725547729; x=1726152529; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OFMmShJyOIhmU1FKD5OF6ehR70Z6cwPPn3zZKnJnyJs=; b=XI+XZMn8wz+GrShlw8lxHfDsuVQyMz1966zIBAiJ15q2MGdJWyzwA68V59WeTjj5KS z+uTZveQ0HZ1LgtTsCRGBRQ764G4M2Z//phaDPnBD8FGf/LOvw1D1etdbfT8P7W+a6OX rL0pEMr1TBWcO6iSlnlEQE9WaOItZclot9FD3qghBCG/qd85d32ltcdqoTdBDyeoPBxl dGGxSepeQ59L0E7Ei4z0+yhA+e+/KuXcvIOBHK1JEcZXVeSyV/4WOikz/gJKbC77MjkJ en/QN9sOCIlylsGoHcEdb2PIBHpVxYUDWw7LMAup2kLe2ZYOSlqBuxZBIJ2pyVKo5oRJ q5DA==
X-Forwarded-Encrypted: i=1; AJvYcCVZAz+YxIl9Xbv3q4MZG4v7e7DNou+lquBlLG0DseGz3rm95RclKv4pEMLvDvu5a+1H/epXOA==@ietf.org
X-Gm-Message-State: AOJu0YysDMeHkQ7GBhLi60UC69qOfl/Mfib/tBWYWpehnQsriNBEywSV Zfq2Er2nV7HitdEa3e/uYo2jfkE0WAiCOiUd49GTARlmfc47cf88phrqs7YCGA5Adp/uW3FGd+m 1g76o0rpicDDUSsIgmprnh5ISUtzwg72h7r6P425iCSNnt0vuDAm+uC2SOwB3dwxRWL7S5dtjJX cw+kKvYDIn+q/nWUVs
X-Received: by 2002:a05:6e02:1e04:b0:39d:351a:d0a2 with SMTP id e9e14a558f8ab-39f379ae918mr293445765ab.25.1725547729426; Thu, 05 Sep 2024 07:48:49 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEc6PtoYpacbzL9OV+t77eiv7V6Iea2MNVcg/JX2yCyjpvB7V/pK5AQ4WgBqfwqANery9R+yUoKA/ysHqy5R1Y=
X-Received: by 2002:a05:6e02:1e04:b0:39d:351a:d0a2 with SMTP id e9e14a558f8ab-39f379ae918mr293445485ab.25.1725547728817; Thu, 05 Sep 2024 07:48:48 -0700 (PDT)
MIME-Version: 1.0
References: <484F176F-7C7E-41CC-9BB5-E2487B927E2F@alkaline-solutions.com> <20805055-CBE7-4AE0-9CEA-018F78740C47@gmail.com>
In-Reply-To: <20805055-CBE7-4AE0-9CEA-018F78740C47@gmail.com>
From: Tim Cappalli <tim.cappalli@okta.com>
Date: Thu, 05 Sep 2024 10:48:37 -0400
Message-ID: <CACZ9TyC3gTnwCwkmcwZ8JBm=vFrEErhw=2ULKU8vVNJMpJGjWQ@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000006b6d9606216063ba"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-ORIG-GUID: kUJJRgy3m3kZThoqyg88vq8OAHurQbYn
X-Proofpoint-GUID: kUJJRgy3m3kZThoqyg88vq8OAHurQbYn
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-05_10,2024-09-04_01,2024-09-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 bulkscore=0 phishscore=0 mlxlogscore=999 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2409050110
Message-ID-Hash: B6NFKQ5NS2XHKW5D7CHWYLY3QJPD7T4I
X-Message-ID-Hash: B6NFKQ5NS2XHKW5D7CHWYLY3QJPD7T4I
X-MailFrom: prvs=69782141a5=tim.cappalli@okta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t5piFbAS3XcF_TkUwwXvV24G-7A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

IMO, we're getting very off topic here. The WebAuthn text is not part of
the draft being called for adoption.

On Thu, Sep 5, 2024 at 2:15 AM Neil Madden <neil.e.madden@gmail.com> wrote:

> On 5 Sep 2024, at 05:45, David Waite <david@alkaline-solutions.com> wrote:
> >
> > 
> >
> >> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com>
> wrote:
> >>
> >>> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
> >>>
> >>> I can always grab the cookie jar off the user browser if I have that
> >>> level of access.
> >>
> >> USB access is not privileged, but that’s beside the point.
> >
> >>
> >> Put another way, the phishing-resistance of WebAuthn only really makes
> sense in a world of sandboxed apps: web apps, mobile apps. Any spec that
> encourages the use of OAuth auth flows outside of such sandboxed
> environments, as this one potentially does, is going to make defending
> against phishing harder.
> >
> > The client is not an identified/authenticated component in the
> architecture, so there is a user trust required in using a client - that
> the client actually is an agent acting in the user’s interest rather than
> acting maliciously.
> >
> > Platforms have the ability to provide specific API for these
> interactions to become a trustworthy client, and to block privileged access
> (including access to speak directly to hardware) behind audited
> entitlements to prevent from installed software acting as a malicious
> client.
>
> Right, this is what I mean by sandboxed.
>
> >
> > Note that some platforms also provide entitlements and heuristics for
> password manager access - however, as a knowledge-based system the platform
> cannot really prevent malicious applications from still attempting to
> manipulate their way to credential phishing.
> >
> >>
> >> (I’d also question why first-party apps need a standardised API for
> this anyway: they can do whatever they like using proprietary APIs already).
> >
> > I would struggle to come up with standards-track RFCs which would not be
> able to instead be accomplished with proprietary APIs. The editors and
> working groups found value in peer review and in interoperability.
>
> Standards are for promoting interoperability, not for getting free peer
> review of private APIs.
>
> >
> > I have seen the pitfalls of a proprietary approach to this and would say
> peer review is important. My primary concern is whether we can have a
> clients that authenticate against multiple implementing ASes based solely
> on this work. Profiling authentication methods like passkey-based
> authentication would go a long way toward alleviating that concern.
> >
> > -DW
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>