On 2/26/2021 8:31 AM, Tim Bray wrote:
On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jricher@xxxxxxx> wrote:
Right, it’s possible to patch OAuth to do this, but the whole “registration equals trust” mindset is baked into OAuth at a really core level. That’s one of the main reasons there’s been hesitance at deploying dynamic registration. It’s an extension that changes your trust model’s assumptions, and does so in a way that is challenging for a lot of large scale providers.
Justin is correct but being extremely diplomatic. “There’s been hesitance”, as he puts it, translates in practice to some lawyer or VP saying “You want to accept auth assertions for business transactions from unknown parties? I have no interest in jail time, so forget it.”
Tim's point is very important. It shows a tension between
"blindly accepting authentication claims from unknown parties",
which would indeed lead to adversarial business consequences, and
"only accepting authentication claims from parties that have been
marked as trusted by my organization", which in theory looks safe
but in practice drives concentration. If the trust decision is
delegated to each site, we have the recipe for a network effect,
in which only a very small set of big organizations can provide
authentication for everybody, and collect the corresponding data
and statistics.
This is both a very hard problem and an urgent problem. An IETF working group works on a hard issue and produces an incomplete solution. Big companies can fill the gaps by providing their own value. The result is further concentration of the Internet.
Such problems are very hard, but they are not impossible to solve. Look for example at PKI and its supporting infrastructure like the CAB Forum. It is not perfect, but at least it had the property of allowing web sites to use HTTPS without routing all authentication transactions through third parties. Wouldn't it be nice if we had a federation system on top of OAUTH? I suppose that is difficult. Not a reason to not try...
-- Christian Huitema
