On 2/26/2021 8:31 AM, Tim Bray wrote:
On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jricher@xxxxxxx> wrote:
Right, it’s possible to patch OAuth to do this, but the whole “registration equals trust” mindset is baked into OAuth at a really core level. That’s one of the main reasons there’s been hesitance at deploying dynamic registration. It’s an extension that changes your trust model’s assumptions, and does so in a way that is challenging for a lot of large scale providers.
Justin is correct but being extremely diplomatic. “There’s been hesitance”, as he puts it, translates in practice to some lawyer or VP saying “You want to accept auth assertions for business transactions from unknown parties? I have no interest in jail time, so forget it.”
Tim's point is very important. It shows a tension between "blindly accepting authentication claims from unknown parties", which would indeed lead to adversarial business consequences, and "only accepting authentication claims from parties that have been marked as trusted by my organization", which in theory looks safe but in practice drives concentration. If the trust decision is delegated to each site, we have the recipe for a network effect, in which only a very small set of big organizations can provide authentication for everybody, and collect the corresponding data and statistics.
This is both a very hard problem and an urgent problem. An IETF working group works on a hard issue and produces an incomplete solution. Big companies can fill the gaps by providing their own value. The result is further concentration of the Internet.
Such problems are very hard, but they are not impossible to solve. Look for example at PKI and its supporting infrastructure like the CAB Forum. It is not perfect, but at least it had the property of allowing web sites to use HTTPS without routing all authentication transactions through third parties. Wouldn't it be nice if we had a federation system on top of OAUTH? I suppose that is difficult. Not a reason to not try...
I'm coming to the conclusion that federation is inherently a bad idea for many of the reasons that Christian cites above. What's even worse is that for OAUTH in particular use in native apps is ripe for "master" password harvesting making all of the things he cites and then it's not even secure.
What we should really be doing here is going back to first principles: this is being driven mainly from the desire to have single sign on so that we don't have to type passwords over and over. Passwords sent over the internet are the source of lots of problems but these days they are not inevitable. With webcrypto (simple) or webauthn (crypto dongles) we can enroll device and service specific asymmetric keys directly into the services without the need for either a password or a trusted third party at all. This keeps the relationship between user and service as it should be: 1:1.
See: https://out.mtcc.com/hoba-bis/
Mike