Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> Do you disagree that this gives them control over which things talk to their servers? Yes -- with a public client, I can impersonate a "real" app and it's basically non-detectable by the AS. For a theoretical example, if I wanted to use the Instagram API but they restrict which apps can upload

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> On Feb 26, 2021, at 9:32 AM, Aaron Parecki wrote: > The point is that basically nobody uses it because they don't want to allow > arbitrary client registration at their ASs. That's likely due to a > combination of pre-registration being the default model in OAuth for so long > (the

Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30

Thanks again for your review, Watson. My replies to your comments below are prefixed by "Mike>". -Original Message- From: Watson Ladd Sent: Tuesday, December 15, 2020 9:01 PM To: Nat Sakimura Cc: secdir ; IETF oauth WG ; last-c...@ietf.org; draft-ietf-oauth-jwsreq@ietf.org

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On 2/26/2021 8:31 AM, Tim Bray wrote: On Fri, Feb 26, 2021 at 8:10 AM Justin Richer > wrote: Right, it’s possible to patch OAuth to do this, but the whole “registration equals trust” mindset is baked into OAuth at a really core level. That’s one of the main

[OAUTH-WG] How to tell people... Was: We appear to still be litigating OAuth, oops

I spend rather too much time doing disinformation analysis these days. But one of the issues that keeps coming up is what Sartre called a 'bad faith' argument which is an unfortunate term in that people end up doing it without being aware of it, no malice involved. What Sartre was describing was

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Dynamic client registration does exist in OAuth: https://tools.ietf.org/html/rfc7591 The point is that basically nobody uses it because they don't want to allow arbitrary client registration at their ASs. That's likely due to a combination of pre-registration being the default model in OAuth for

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On Fri, Feb 26, 2021 at 8:10 AM Justin Richer wrote: > Right, it’s possible to patch OAuth to do this, but the whole > “registration equals trust” mindset is baked into OAuth at a really core > level. That’s one of the main reasons there’s been hesitance at deploying > dynamic registration. It’s

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

A) I don't think it is helpful to talk about what other WGs are doing, or how GNAP attempts to fix or not fix these problems. B) Sharing statements like this: > Right, it’s possible to patch OAuth to do this, but the whole > “registration equals trust” mindset is baked into OAuth at a really core

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Right, it’s possible to patch OAuth to do this, but the whole “registration equals trust” mindset is baked into OAuth at a really core level. That’s one of the main reasons there’s been hesitance at deploying dynamic registration. It’s an extension that changes your trust model’s assumptions,

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> On Feb 25, 2021, at 2:59 PM, Evert Pot wrote: > On 2021-02-25 3:41 a.m., Seán Kelleher wrote: >> Yep, this is the big point - OAuth is designed to require the the third leg >> of trust that creates the NxM problem. >> >> I believe the snippet of Justin's that you quoted actually shows you how