Justin Richer <jricher@xxxxxxx> wrote:
> From a technical standpoint, OAuth’s dynamic client registration lets
> arbitrary clients talk to an AS, but the trust isn’t there in
> practice.
As an example of a fail even in a closed ecosystem: neither Google nor
Facebook nor LinkedIn nor .. permit one to login to them with themselves.
Even if we believe that there are business reasons why they wouldn't delegate
to another, the fact is that they don't delegate to themselves.
What's the use case? I'll give you two:
1) parent/child
2) boss/secretary (*)
My kid is subject to Google Classroom. A great idea, rather poorly implemented.
The parent interface is basically non-existent. The advice, from *GOOGLE*
(and my school board) is, in order to find out what your child is
doing... have them share their password with you, the parent. I read this,
and went WTF? Doesn't that go against all of the authentication security
precepts that Google and others have been telling us?
(*) - yes there are limited abilities to do this within gmail. But, it
does not extend throughout the ecosystem.
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
Attachment:
signature.asc
Description: PGP signature
