Hello Jim,
Since you dared to raise the question:
"How does OAuth harm privacy
?", I need to respond. I changed the tile of the thread
accordingly.
With OAuth, the RS must have a prior
relationship with the AS (which is not scalable). When the client
calls the AS,
the AS is able to know which is the RS and then is in a position to know which end-user is likely to access which RS.
the AS is able to know which is the RS and then is in a position to know which end-user is likely to access which RS.
When furthermore token
introspection is being used, the AS is in a position to know
exactly when an end-user
is performing an access to every RS. Some people would say that the AS is able to act as Big Brother.
is performing an access to every RS. Some people would say that the AS is able to act as Big Brother.
While this might be acceptable within a
single domain (i.e. all the users, ASs and RSs belong to the same
organization
or company), this is a serious concern if/when used in general over the Internet in a multi-domain case.
or company), this is a serious concern if/when used in general over the Internet in a multi-domain case.
Since the access tokens are considered
to be opaque to the clients (and hence to the end-users), a client
is not supposed
to verify which privileges have effectively been inserted into an access token, in particular whether a unique identifier
that would allow the RSs to correlate the accounts of their users has been maliciously added into every access token.
to verify which privileges have effectively been inserted into an access token, in particular whether a unique identifier
that would allow the RSs to correlate the accounts of their users has been maliciously added into every access token.
In your email you wrote:
I don’t see how moving from handing your creds over to a third party to OAuth2 workflows, harms either privacy or security.
I hope that the facts mentioned above
will allow you to see that OAuth does harm the user's privacy.
Denis
Il 01/03/2021 15:13 Jim Manico <jim@xxxxxxxxxxxx> ha scritto:
How does OAuth harm privacy?
I think you are analyzing the matter at a different level.
If you start from a situation in which everyone is managing their own online identity and credentials, and end up in a situation in which a set of very few big companies (essentially Google, Apple and Facebook) are supplying and managing everyone's online credentials and logins, then [the deployment of] OAuth[-based public identity systems] is harming privacy.
Centralization is an inherent privacy risk. If you securely and privately deliver your personal information to parties that can monetize, track and aggregate it at scale, then you are losing privacy.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@xxxxxxxxxxxxxxxx Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________ OAuth mailing list OAuth@xxxxxxxx https://www.ietf.org/mailman/listinfo/oauth
