On Wed, May 21, 2025 at 10:26 AM Shumon Huque <shu...@gmail.com> wrote:
> Phillip, > > Can you review the DANCE documents and see if they can satisfy your use > case? > > https://datatracker.ietf.org/wg/dance/documents/ > Will do, It might well be that all we need to do is call out this specific use case. > You could also start a thread on the DANCE wg mailing list. > Have done just that. > At first glance, I can't see why the DANE TLS client auth protocol > described there could not accommodate Bluesky/AT protocol handles, but > perhaps you can do a deeper review. It might also be useful to describe the > use case in the DANCE architecture doc (which describes the set of other > use cases we had originally envisioned). This set of docs is currently in > working group last call. > It is certainly a technical possibility. What I am saying here is that we have the opportunity to turn TLS Client Auth into the ubiquitous Internet/Web authentication infrastructure. But that isn't going to just happen of its own accord. We have to figure out how to make it happen. >From a technical point of view, ATprotocol DNS handles are really just 'a way' to do OAUTH. From a deployment standpoint, they have backing from a significant and growing set of social media providers building on the ATmosphere platform. And that is really great. If we want DANCE to take off, we have to work out what is needed to make that possible and how we get that to happen. I think I am starting to see the beginnings of a plan. Today, my gmail account, hal...@gmail.com and my personal account ph...@hallambaker.com which is really just an alias to it are my account names at over 350 different Web sites. And that is a real problem because those are the addresses all the callback challenges go to. That is a really weak security model but it is the only open model we have. OpenID lets me use my hal...@gmail.com address directly but not the name that I chose for myself. My wife just had her Facebook account deleted for absolutely no reason. Unlike myself, she barely posts. She suspects the company is merely trying to force her to provide biometric information they can exploit under the guise of 'security'. And I can't say she is wrong. In the meantime, all her other accounts she used Facebook OpenID connect to access have been lost. Using @phill.hallambaker as the means to authenticate against my ATmosphere OAUTH provider means OpenID can potentially live up to its name at last and become open. We can and we should encourage use of that model as a means of achieving ubiquitous authentication to a single account across the whole Web and Internet. Apart from SAML which is essentially the same thing with pointy brackets instead of curly ones, that is the only scheme we have that is 100% compatible with existing Web Browsers. But that model has a serious limitation, it is a privacy nightmare because my OAUTH provider knows everything I am doing. Oh, and before you say 'but that is the whole point', not if you are covered by GDPR it is not. As a former GDPR DPO, let me assure you that If you are profiting from your operation of an OpenID server, you are opening the door to a whole world of hurt, misery and enormous fines. So the opening I see for DANCE is that the TLS Client Auth model allows the user to talk directly to the relying party without any third party having the ability to do traffic analysis. We achieve the same end as OpenID but without the risk of $6.7 billion fines for GDPR non compliance. It is also the superior model. If you read my JSDevice draft, it describes a way to describe an IoT device so that a configulator app can use whatever mutually supported onboarding protocols (of which there are now many) it offers to issue it a DNS address and WebPKI certificate so that you can now access it using HTTPS. https://www.ietf.org/archive/id/draft-hallambaker-jsdevice-00.html When I was writing this, I was expecting the user would be logging into their IoT devices via OAUTH. But TLS client auth is obviously superior because now I can change the temperature on my thermostat even if the Internet connection is down.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
