>
> 1) Disclosure of an identifier allows a service attack using that
> identifier.
Sure, would you be able to say more about this though, I'm not sure I'm
fully grasping the consequence here.
2) Linking separate uses of an identifier allows a profile to be
> constructed of the individual that ca
Lets take a step back. There are two separate sets of concerns related to
'privacy'
1) Disclosure of an identifier allows a service attack using that
identifier.
2) Linking separate uses of an identifier allows a profile to be
constructed of the individual that can be used against the interest of
I think the IETF should look at three issues:
1. HTTP Re-direct flows in support of workflows (eg MFA sign-on flows) - HTTP
redirect is the single most complex part of OAuth2 and drove a lot of the
OAuth2 Threat Model and the subsequent drafts such as PKCE. Right now, OAuth
takes the blame be
Vittorio,
I feel you are conflating OIDC with OAuth2. In delegation workflows, the
AS/RS can be any company and the clients are approved registered
clients. I use OAuth2 for many of my own consumer needs and there is an
even distribution of use among many services. OAuth2 protects me. I no
lo
> Il 01/03/2021 15:13 Jim Manico ha scritto:
>
>
> How does OAuth harm privacy?
>
I think you are analyzing the matter at a different level.
If you start from a situation in which everyone is managing their own online
identity and credentials, and end up in a situation in which a set
How does OAuth harm privacy? This critical delegation use case is user driven,
protects leaking user passwords to third party services, limits access to user
account features and allows the user to cancel this relationship at any time?
OAuth2 provides more security and privacy than the previous
