Hi Phil, Thanks for the quick response. A few remarks below. > I am not confused, I merely don't accept that the distinction is a useful one. I know what HTTP and HTML were supposed to be. I also know what they have become and that there is no way to go back. > The fact that a technology has become one of the factors in reinforcing a duopoly position is far more relevant to the question of whether a group should be told that they must use it than ANY aspect of the technology itself. Yes, OAUTH is capable of supporting a different ecosystem to the one that it has established. But when an application is built on OAUTH, they don't get to change the ecosystem. > It is the same in PKI. There is absolutely nothing stopping anyone from implementing the PGP Web of Trust in X.509. Mark Shuttleworth actually got pretty far in doing just that. But nobody is ever going to be able to use that system because there are simply too many assumptions about how the formats are used built into the deployed infrastructure. You are raising an important point, which is described in this "Tussle in Cyberspace" paper: https://groups.csail.mit.edu/ana/Publications/PubPDFs/Tussle%20in%20Cyberspace%20Defining%20Tomorrows%20Internet%202005's%20Internet.pdf I believe you are arguing along the lines of the authors in that paper. My opinion is that such an approach is not practical for three reasons: - Our work is contribution driven. If there is a bias in the solution towards a specific deployment then it is because contributions pushed it into that direction. Not only is it necessary to have someone contribute a solution but you also need the group to review it. - Making protocols suitable for all possible deployments introduces complexity. Particularly for security protocols this is often unwanted. - Someone needs to be interested to turn the flexibility of the specs into code and then into deployments. In OAuth, for some reason, personal data stores, for example, have not been successful in the market. Do I understand the issue you raise correctly? >> Unfortunately, I don’t see how any of this relates to the diversity discussion. I would therefore suggest to move this discussion to the OAuth group. There are so many aspects in Phil’s email that require clarifications... > If you noticed, I had actually broadened the issue of folk insisting on their technology being used to include the SPF/DKIM experience which was quite different. > What I think some of the grownups need to start thinking about is just what is going to be happening over the next five to ten years as various politicians decide to wield anti-trust against what they are now calling big tech. The ostrich strategy that has worked so far is not likely to work for very much longer. > Google and Facebook in particular would be well advised to start sending lawyers to all the standards meetings in which they participate. Or at the very least the ones that are being attended by lawyers who work for the FTC and EU anti-trust divisions. Fair enough. A difficult topic to think about. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
