On Thu, May 22, 2025 at 1:58 PM Eric Rescorla <e...@rtfm.com> wrote:
> On Thu, May 22, 2025 at 10:28 AM Phillip Hallam-Baker < > ph...@hallambaker.com> wrote: > >> >> I accept that most people are going to go for a free DNS handle issued by >> a handle provider. But a system in which users have the option of exit has >> completely different dynamics to one where they are locked in by switching >> costs. >> > > Yes, I agree with this. But even in the case where the DNS handle is > associated with my own > server, that server is then likely hosted by some DNS hosting provider, > and so we have to > worry about privacy via that provider. > The amount of information available to the Handle Service Provider is pretty modest unless they are running the OAUTH IdP and this is all about taking them out of that loop as well. Google knows a heck of a lot more about my use of my OpenID and the difference is I really don't have much choice in OpenID providers. I would much rather trust a HSP I picked than Google. I do not trust Facebook at all, they just blocked my wife's account for absolutely no cause so they can demand she render up some biometrics to Caesar. * Allowing the site to control the timing of the authentication >>> (e.g., offering you connect unauthenticated and then upgrading). >>> * Allowing the site to offer multiple authentication options. >>> * Allowing the site to control the look and feel of the interaction. >>> >> >> I don't want the site to be doing any of that. I want there to be a >> single consistent authentication experience across everything. Without >> consistency, users have no idea what they are doing and the scheme is >> vulnerable to social engineering attacks. >> > >>> What matters here is not what you want but rather what the site wants, >>> and in my experience they want these properties. >>> So, again, I ask: which major players in the current ecosystem are >>> interested in this. >>> >> I missed this the first time. Are you serious? 'What matters here is not what you want but rather what the site wants' So, we only listen to the businesses and corporations, not the Web users? I think you are dead wrong about what the sites want. I have heard many, many sites say they want OpenID without having Facebook or Google in the loop. They absolutely do not want an auth system that has their biggest competitive threats seeing who visits them. The target 'site' in this case is the HTTPS server built into my next IoT >> thermostat after the current one is disabled because of malicious >> obsolescence. >> > > OK, but there are still vendors who need to do things, so I think my > question continues to be relevant. > Which device and/or browser vendors are interested? > Well, since I made the first version of this proposal on Monday and it is now Thursday, I expect the answer to both is 'none' and 'one'. And the one is only because I have my own browser that I use as a testbed for things. I don't need to be able to log into my thermostat from every one of my Web browsers. Just one of them is sufficient and it doesn't need to be fully featured. The client auth part is not currently critical path as far as deployment goes. My expectation is that DNS Handles will reach 500 million users over the next few years and that in turn will drive at least one browser provider to support privacy personas based on that.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
