Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Fri, 26 Feb 2021 12:12:58 -0800 

On 2/26/2021 8:31 AM, Tim Bray wrote:
On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jric...@mit.edu <mailto:jric...@mit.edu>> wrote: 

    Right, it’s possible to patch OAuth to do this, but the whole
    “registration equals trust” mindset is baked into OAuth at a
    really core level. That’s one of the main reasons there’s been
    hesitance at deploying dynamic registration. It’s an extension
    that changes your trust model’s assumptions, and does so in a way
    that is challenging for a lot of large scale providers.



Justin is correct but being extremely diplomatic. “There’s been 
hesitance”, as he puts it, translates in practice to some lawyer or VP 
saying “You want to accept auth assertions for business transactions 
from unknown parties?  I have no interest in jail time, so forget it.”




Tim's point is very important. It shows a tension between "blindly 
accepting authentication claims from unknown parties", which would 
indeed lead to adversarial business consequences, and "only accepting 
authentication claims from parties that have been marked as trusted by 
my organization", which in theory looks safe but in practice drives 
concentration. If the trust decision is delegated to each site, we have 
the recipe for a network effect, in which only a very small set of big 
organizations can provide authentication for everybody, and collect the 
corresponding data and statistics.



This is both a very hard problem and an urgent problem. An IETF working 
group works on a hard issue and produces an incomplete solution. Big 
companies can fill the gaps by providing their own value. The result is 
further concentration of the Internet.



Such problems are very hard, but they are not impossible to solve. Look 
for example at PKI and its supporting infrastructure like the CAB Forum. 
It is not perfect, but at least it had the property of allowing web 
sites to use HTTPS without routing all authentication transactions 
through third parties. Wouldn't it be nice if we had a federation system 
on top of OAUTH? I suppose that is difficult. Not a reason to not try...


-- Christian Huitema


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





























					Reply via email to