[note: veering dangerously off-topic. If anyone kicks us out, I'll accept without protesting]
On Mon, Aug 19, 2019 at 12:03:25PM -0400, Celejar wrote:
> On Mon, 19 Aug 2019 17:19:58 +0200
> <to...@tuxteam.de> wrote:
[...]
> > Edited by D. Hardt, Microsoft. Hmmm.
>
> Ad hominem.
rather ad corporationem. Mr. Hardt most probably is a nice guy
himself.
> > > Third-party applications are required to store the resource
> > > owner's credentials for future use, typically a password in
> > > clear-text.
> >
> > So for Mr. Hardt, Kerberos doesn't exist. Or he's talking HTTP context
> > only.
>
> Not sure what your point is here: how are the relative merits of
> OAuth and Kerberos [...]
The way you quoted rfc6749 made it seem that its way of handling
third-party authentication was unique. It is not. But for "normal"
mail business it isn't even necessary!
> > But I disgress: more interesting is this [1]:
> >
> > "Eran Hammer resigned his role of lead author for the OAuth
> > 2.0 project, withdrew from the IETF working group, and removed
> > his name from the specification in July 2012. Hammer cited a
> > conflict between web and enterprise cultures as his reason
> > for leaving, noting that IETF is a community that is 'all
> > about enterprise use cases' and 'not capable of simple.'"
>
> Not sure how this is relevant to our discussion.
>
> > See also "decommoditizing protocols [2]
>
> Relevance? Explain?
It is very much: it illustrates how bigcorps subvert standadrs
processes and use their leverage to influence perception ("not
secure" as a moniker for "not OAuth" or "not our way") to nudge
people.
> You're not addressing what I wrote: I cited the OAuth RFC's explanation
> for why something like OAuth is more secure than plain password
> authentication. You've thrown in all sorts of interesting history and
> ideology, but haven't directly addressed the points in the RFC.
OAuth may be "more secure for third-party website authentication",
that is what it was made for. It definitely isn't more secure
than "pasword authentication over a verified TLS link", and that's
how e.g. IMAP works. Heck, I'd venture that IMAPS is more secure,
because simpler (no third party).
> > > I was referring to the client side - Chrome / Chromium achieved
> > > dominance (particularly on the desktop) largely because they were
> > > widely recognized as being more performant than the alternatives.
> >
> > Remember that Google is an advertising company?
>
> Of course I remember, but you keep ignoring the technical points I'm
> making, and instead argue from ideology and innuendo. Do you or
> do you not agree that much of Chrome / Chromium's success for years was
> due to its technical merits?
Not really. Firefox had its weak phase, but it was short and seems
over. And I'm sure that it is in Google's strategy to influence that
perception.
Cheers
-- t
signature.asc
Description: Digital signature
