Re: [OAUTH-WG] Assessing the negative effects of proposed standards

> > 1) Disclosure of an identifier allows a service attack using that > identifier. Sure, would you be able to say more about this though, I'm not sure I'm fully grasping the consequence here. 2) Linking separate uses of an identifier allows a profile to be > constructed of the individual that ca

Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Lets take a step back. There are two separate sets of concerns related to 'privacy' 1) Disclosure of an identifier allows a service attack using that identifier. 2) Linking separate uses of an identifier allows a profile to be constructed of the individual that can be used against the interest of

Re: [OAUTH-WG] How does OAuth harm privacy ?

👏 Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Mon, Mar 1, 2021 at 5:27 PM Jim Manico wrote: > Denis, > > > With OAuth, the RS must have a prior relationship with the AS (which is > not scalable). > > I do n

Re: [OAUTH-WG] Assessing the negative effects of proposed standards

I think the IETF should look at three issues: 1. HTTP Re-direct flows in support of workflows (eg MFA sign-on flows) - HTTP redirect is the single most complex part of OAuth2 and drove a lot of the OAuth2 Threat Model and the subsequent drafts such as PKCE. Right now, OAuth takes the blame be

Re: [OAUTH-WG] Assessing the negative effects of proposed standards

Vittorio, I feel you are conflating OIDC with OAuth2. In delegation workflows, the AS/RS can be any company and the clients are approved registered clients. I use OAuth2 for many of my own consumer needs and there is an even distribution of use among many services. OAuth2 protects me. I no lo

Re: [OAUTH-WG] How does OAuth harm privacy ?

Denis, > With OAuth, the RS must have a prior relationship with the AS (which is not scalable). I do not see this as a real problem since in almost every use case the RS and AS are the same provider. If they are not the same provider I would suggest federation (OIDC) as opposed to delegation

[OAUTH-WG] How does OAuth harm privacy ?

Hello Jim, Since you dared to raise the question: "*How does OAuth harm privacy* ?", I need to respond. I changed the tile of the thread accordingly. With OAuth, the RS must have a prior relationship with the AS (which is not scalable). When the client calls the AS, the AS is able to know whi

Re: [OAUTH-WG] Assessing the negative effects of proposed standards

> Il 01/03/2021 15:13 Jim Manico ha scritto: > > > How does OAuth harm privacy? > I think you are analyzing the matter at a different level. If you start from a situation in which everyone is managing their own online identity and credentials, and end up in a situation in which a set

Re: [OAUTH-WG] Assessing the negative effects of proposed standards

How does OAuth harm privacy? This critical delegation use case is user driven, protects leaking user passwords to third party services, limits access to user account features and allows the user to cancel this relationship at any time? OAuth2 provides more security and privacy than the previous

[OAUTH-WG] Assessing the negative effects of proposed standards

On 01/03/2021 10:44 Vittorio Bertola mailto:vittorio.bert...@open-xchange.com>> wrote: > Il 26/02/2021 17:32 Aaron Parecki > mailto:aa...@parecki.com>> ha scritto: >> Dynamic client registration does exist in OAuth: >> https://tools.ietf.org/html/rfc7591 >> The point is that basically nobod

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> Il 26/02/2021 17:32 Aaron Parecki ha scritto: > > > Dynamic client registration does exist in OAuth: > https://tools.ietf.org/html/rfc7591 > > The point is that basically nobody uses it because they don't want to > allow arbitrary client registration at their ASs. That's likely