On Fri, Feb 26, 2021 at 11:32 AM Tim Bray <tb...@textuality.com> wrote:
> > > On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jric...@mit.edu> wrote: > >> Right, it’s possible to patch OAuth to do this, but the whole >> “registration equals trust” mindset is baked into OAuth at a really core >> level. That’s one of the main reasons there’s been hesitance at deploying >> dynamic registration. It’s an extension that changes your trust model’s >> assumptions, and does so in a way that is challenging for a lot of large >> scale providers. >> > > Justin is correct but being extremely diplomatic. “There’s been > hesitance”, as he puts it, translates in practice to some lawyer or VP > saying “You want to accept auth assertions for business transactions from > unknown parties? I have no interest in jail time, so forget it.” > Getting back to the general case rather than litigating one particular protocol. I have on many occasions found that the response to raising an issue in the IETF is to be told that the solution is I should go and 'educate them' to understand that their concern doesn't matter.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
