There is absolutely nothing about OpenID/OAuth 2.0 that Apple cares about. Their solution isn't about conforming with it. Sign in with Apple has no interest in opening up its middleware to OpenID which has a history of flaws. Among the many flaws is Phishing.
Apple use using OAuth 2.0 and OpenID as the basis for their implementation of 'Sign In with Apple', so it does seem that they have some interest with it and (as the OpenID Foundation letter says) they already conform to a good portion of the standard.
Nothing in the article or letter suggests Apple should open up their middleware. The suggestion is that Apple make their software interoperable with existing software out there that supports OpenID already, instead of that software having to make custom tweaks to the source code to workaround oddities in Apple's implementation. This would not in any way increase the risk of SIWA being a pishing vector. The letter also lists some potential security issues that Apple may wish to address.
You’re making the curious assumption that OpenID is correct in their analysis or that their goals are Apple’s goals.
Just because someone says Apple is doing it wrong doesn’t mean they are.
You are making the curious assumption that everything that comes from Apple is secure. Maybe you confuse security with data privacy
The track record of the security in Apple products has some serious hickups: the macOS root access bug in High Sierra is the perhaps the most known example.
I trust OpenID if they say there are security holes. And given the importance and visibility to Apple, I’m sure they’ll address the security issues before releasing SIWA.
‘As for compatibility with generic OpenID? Nice for OpenID, but it would only muddy the waters when it comes to customers understanding what SIWA is all about. Id be surprised if Apple makes that a priority.
The thing is, OpenID is not saying there are security holes. Read their statement:
"which could nominally leave people exposed to code injection and replay attacks."
If you're running Safari right click on the word nominally and select "Look up nominally." Or look it up in a dictionary.
Standards organizations are populated with wordsmiths who choose their words very carefully. They are not identifying any actual security holes that they have found. They are only saying that there is a possibility that an issue may or may not actually exist. Identifying a possibility is one of the weakest arguments one can make. If they were stating a probability, with a hard number or range of numbers, then we'd have to take a much more serious approach.
I trust OpenID if they say there are security holes. And given the importance and visibility to Apple, I’m sure they’ll address the security issues before releasing SIWA.
‘As for compatibility with generic OpenID? Nice for OpenID, but it would only muddy the waters when it comes to customers understanding what SIWA is all about. Id be surprised if Apple makes that a priority.
The thing is, OpenID is not saying there are security holes. Read their statement:
"which could nominally leave people exposed to code injection and replay attacks."
If you're running Safari right click on the word nominally and select "Look up nominally." Or look it up in a dictionary.
Standards organizations are populated with wordsmiths who choose their words very carefully. They are not identifying any actual security holes that they have found. They are only saying that there is a possibility that an issue may or may not actually exist. Identifying a possibility is one of the weakest arguments one can make. If they were stating a probability, with a hard number or range of numbers, then we'd have to take a much more serious approach.
Respectfully, maybe you should re-read their statement. OpenID is saying their are security holes and they are identifying them. They even link to the issues in the same paragraph you're quoting from (the hyperlink is "a host of differences"). Whether their claims ultimately prove to be true is a different matter. Regardless of the veracity of their claims, you made the mistake of parsing their quote, excerpting a portion, and then building an argument around it. Context matters. That full sentence reads, "An example of the latter is absence of PKCE in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks." That sentence is about 1 example, not their entire premise.
Comments
Nothing in the article or letter suggests Apple should open up their middleware. The suggestion is that Apple make their software interoperable with existing software out there that supports OpenID already, instead of that software having to make custom tweaks to the source code to workaround oddities in Apple's implementation. This would not in any way increase the risk of SIWA being a pishing vector. The letter also lists some potential security issues that Apple may wish to address.
"which could nominally leave people exposed to code injection and replay attacks."
If you're running Safari right click on the word nominally and select "Look up nominally." Or look it up in a dictionary.
Standards organizations are populated with wordsmiths who choose their words very carefully. They are not identifying any actual security holes that they have found. They are only saying that there is a possibility that an issue may or may not actually exist. Identifying a possibility is one of the weakest arguments one can make. If they were stating a probability, with a hard number or range of numbers, then we'd have to take a much more serious approach.