Vittorio,
I feel you are conflating OIDC with OAuth2. In delegation workflows, the
AS/RS can be any company and the clients are approved registered
clients. I use OAuth2 for many of my own consumer needs and there is an
even distribution of use among many services. OAuth2 protects me. I no
longer have to hand out my twitter credentials just because my
conference website wants limited access to my twitter account. I can now
give my conference website limited delagated access to my twitter
account and cancel that relationship any time. For years I was forced to
give up my banking credentials to services like Mint and that is no
longer the case due to the OAuth2 financial extension (FAPI).
While OIDC is certainly centralizing identity to a few providers, a real
problem, OAuth2 when used for delegation purposes does not have that
same inherent risk.
Respectfully,
- Jim Manico
On 3/1/21 9:59 AM, Vittorio Bertola wrote:
Il 01/03/2021 15:13 Jim Manico <j...@manicode.com> ha scritto:
How does OAuth harm privacy?
I think you are analyzing the matter at a different level.
If you start from a situation in which everyone is managing their own
online identity and credentials, and end up in a situation in which a
set of very few big companies (essentially Google, Apple and Facebook)
are supplying and managing everyone's online credentials and logins,
then [the deployment of] OAuth[-based public identity systems] is
harming privacy.
Centralization is an inherent privacy risk. If you securely and
privately deliver your personal information to parties that can
monetize, track and aggregate it at scale, then you are losing privacy.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com <mailto:vittorio.bert...@open-xchange.com>
Office @ Via Treviso 12, 10144 Torino, Italy
--
Jim Manico
Manicode Security
https://www.manicode.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
