On 6/22/23 6:13 AM, Abdussalam Baryun wrote:
You maybe brought it up within discussion only but not in presentation/doc to WG.Updating 8252 with you authoring new_draft proposal/input can get interest to adapt it,and as long as 8252 is used/BCP then the best choice is to make update_input (i.e. as you mentioned before re_write).
After the last round of incoherent prattling about "native apps are your first problem" when the reality is that there are hundreds of thousands of them on app stores and they are widely used, I'd rather not have another go at that. The problem here is that IETF shouldn't be compounding the problem by giving users a false sense of security that their possibly valuable credentials won't be stolen.
Frankly, I'm beginning to question whether federation for login that involves passwords is a good idea in all cases. OAUTH seemed to carve out a very narrow use case that seemingly is safe for the web, but unsafe for the more general case which is how a huge swath of users experience being online these days. I know that OAUTH didn't have a crystal ball about the rise of phone apps when they started, but by the time the BCP was written it was well established. Telling bad guys to not be bad is not the answer and the IESG should move that terrible take to historic.
Mike
I spent the weekend bringing up a new PC and the experience demonstrated many weaknesses in the current authentication infrastructure and the near complete lack of user autonomy. I have no choice but to use an OAUTH account to log in to many applications etc. and the user experience is dire. I ended up responding to at least a dozen PIN challenges to my mobile device. My environment is somewhat extensive but it really isn't that much more complex than a regular user's.
IETF has traditionally avoided doing UI but in this case, the UI is the protocol and it is impossible to discuss the security of the system without discussing the boundaries between what the user can and cannot trust.
Will passkeys solve these problems? I am very skeptical because while the security offered is a real improvement on the status quo, what passkeys is really replacing is the browser cookie traditionally used to reauthenticate the machine. That isn't where the real UI pain is for the user.
On Thu, Jun 22, 2023 at 3:09 PM Michael Thomas <mike@xxxxxxxx> wrote:
