On 6/29/23 1:05 PM, Brian E Carpenter wrote:
On 29-Jun-23 23:25, tom petch wrote:
From: ietf <ietf-bounces@xxxxxxxx> on behalf of Keith Moore
<moore@xxxxxxxxxxxxxxxxxxxx>
Sent: 28 June 2023 00:57
On 6/27/23 05:18, Leif Johansson wrote:
Yeah, IETF is a very strange venue for something like OAUTH. Why
wasn't it done at W3C? At least they do UI stuff, and more to the
point have better clue of the inner workings of browsers. It would
have also driven home the point that it was a web thing, not a
general thing.
Because it isn’t only about ”the web”
If OAUTH is useful at all, OAUTH *should* be only about the web. At
least as it's typically used in practice, it's completely unsuitable for
ordinary applications.
<tp>
Microsoft seems to take the opposite view with Outlook. They have
withdrawn support for the traditional forms of authentication and are
now promoting the use of OAUTH as an alternative.
Not "promoting". They are *enforcing* it, which in turn has forced
implementors such as Thunderbird to jump through many hoops, and
millions of users to jump through yet more badly documented hoops. As
one of those millions, I lost a couple of hours of my life as a
result, for zero benefit.
The cynic (me!) might think that this advances the cause of those
websites whose primary mission it to maximise the amount of personal
data that can be harvested and monetised (or is that all websites
nowadays?).
I don't even think that's it. Like DMARC, it became an article of
faith that OAUTH provides additional security magic, which it doesn't.
If you think DMARC is bad, you'll love another product of that working
group -- ARC. Lots of magical thinking going with it. At least it's
experimental so it can ultimately fail modulo the magical thinking of
course.
Mike
