Hello Jim,
Since you dared to raise the question: "*How does OAuth harm privacy*
?", I need to respond. I changed the tile of the thread accordingly.
With OAuth, the RS must have a prior relationship with the AS (which is
not scalable). When the client calls the AS,
the AS is able to know which is the RS and then is in a position to know
which end-user is likely to access which RS.
When furthermore *token introspection* is being used, the AS is in a
position to know exactly when an end-user
is performing an access to every RS. Some people would say that the AS
is able to act as *Big Brother*.
While this might be acceptable within a single domain (i.e. all the
users, ASs and RSs belong to the same organization
or company), this is a serious concern if/when used in general over the
Internet in a multi-domain case.
Since the access tokens are considered to be opaque to the clients (and
hence to the end-users), a client is not supposed
to verify which privileges have effectively been inserted into an access
token, in particular whether a unique identifier
that would allow the RSs to correlate the accounts of their users has
been maliciously added into every access token.
In your email you wrote:
I don’t see how moving from handing your creds over to a third party
to OAuth2 workflows, harms either privacy or security.
I hope that the facts mentioned above will allow you to see that OAuth
does harm the user's privacy.
Denis
Il 01/03/2021 15:13 Jim Manico <j...@manicode.com> ha scritto:
How does OAuth harm privacy?
I think you are analyzing the matter at a different level.
If you start from a situation in which everyone is managing their own
online identity and credentials, and end up in a situation in which a
set of very few big companies (essentially Google, Apple and Facebook)
are supplying and managing everyone's online credentials and logins,
then [the deployment of] OAuth[-based public identity systems] is
harming privacy.
Centralization is an inherent privacy risk. If you securely and
privately deliver your personal information to parties that can
monetize, track and aggregate it at scale, then you are losing privacy.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com <mailto:vittorio.bert...@open-xchange.com>
Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth