On Mon, Mar 1, 2021 at 3:31 PM Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 3/1/21 3:11 PM, Phillip Hallam-Baker wrote:
Lets take a step back. There are two separate sets of concerns related to 'privacy'
1) Disclosure of an identifier allows a service attack using that identifier.
2) Linking separate uses of an identifier allows a profile to be constructed of the individual that can be used against the interest of the individual.3) if it's already known that a service provider is routinely violating its users' privacy, why would anyone trust them to be an authentication service or identity provider for any service that they themselves did not operate?
(what I haven't tried to determine yet is whether HTTP cookies get exchanged during OAuth2 transactions...
Oh the problems are far more pernicious than that. I don't like the term identity provider it seems both pretentious and inapplicable. A problem with linkability is that the consumers of the authentication and authorization assertions can find ways to link even when the services are trying their best to prevent it.
