Assessing the negative effects of proposed standards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/03/2021 10:44 Vittorio Bertola <vittorio.bertola@xxxxxxxxxxxxxxxx> wrote:

 

> Il 26/02/2021 17:32 Aaron Parecki <aaron@xxxxxxxxxxx> ha scritto:

 

 

>> Dynamic client registration does exist in OAuth: https://tools.ietf.org/html/rfc7591

 

>> The point is that basically nobody uses it because they don't want to allow arbitrary client registration at their ASs. That's likely due to a combination of pre-registration being the default model in OAuth for so long (the Dynamic Client Registration draft was published several years after OAuth 2.0), as well as how large corporations have decided to run their ASs where they want to have (what feels like) more control over the things talking to their servers.

 

> This is indeed a matter of product design. I am active in an OIDC-based open identity project where the specs say that providers MUST accept dynamic client registration, without a pre-determined client secret. This is the only way to create a federation that can work on an Internet scale, with relying parties accepting identities managed by providers unknown to them. Then, of course, this also creates lots of opportunities for abuse: you end up in an email-like scenario in which you need ways to ascertain trust in unknown parties and decide whether you want to accept interoperating with them and believe the information they provide, which in turn depends a lot on your specific use case. But we think that that is preferrable to the centralization that is inherent in the original registration model.

 

 

I wonder whether proposed standards should be assessed for their negative properties, eg whether they are likely to exacerbate centralisation, much like security aspects are reviewed.  It may be that a given proposal might still go forward as the trade-offs are deemed worthwhile, however, they would at least be understood and, ideally, documented.  At present there seems to be an exorable drift towards centralisation which, in my view, has a detrimental impact on both resilience and privacy.  Such developments may satisfy the needs of their proponents but are unlikely to be in the long-term interests of end-users (RFC 8890) and, therefore, it would be helpful if this trend wasn’t made worse by the introduction of new standards.

 

 

Andrew Campling


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux