On Fri, Feb 26, 2021 at 11:32 AM Tim Bray <tbray@xxxxxxxxxxxxxx> wrote:
On Fri, Feb 26, 2021 at 8:10 AM Justin Richer <jricher@xxxxxxx> wrote:Right, it’s possible to patch OAuth to do this, but the whole “registration equals trust” mindset is baked into OAuth at a really core level. That’s one of the main reasons there’s been hesitance at deploying dynamic registration. It’s an extension that changes your trust model’s assumptions, and does so in a way that is challenging for a lot of large scale providers.Justin is correct but being extremely diplomatic. “There’s been hesitance”, as he puts it, translates in practice to some lawyer or VP saying “You want to accept auth assertions for business transactions from unknown parties? I have no interest in jail time, so forget it.”
Getting back to the general case rather than litigating one particular protocol. I have on many occasions found that the response to raising an issue in the IETF is to be told that the solution is I should go and 'educate them' to understand that their concern doesn't matter.
