On 10/28/20 11:39 AM, Benjamin Kaduk wrote:
Hi Mike,
On Tue, Oct 27, 2020 at 06:26:03PM -0700, Michael Thomas wrote:
PS: i hope that this doesn't turn into a prosecution of whether my
examples are right or wrong because that utterly misses the point. The
issue here is that working groups are tribalistic and people who upset
that tribalism are the enemy. until you deal with that problem, nothing
will happen.
I don't want to prosecute your examples, and I do believe that your
examples happened roughly as you describe. But I do want to ask whether we
might have already improved since your experiences occurred -- for example,
I am failing to find anything in the OAuth archives from you more recently
than 2012. While the OAuth WG is not always a shining example of comity, I
can think of several recent cases where someone who is not part of the WG
mainstream comes in and attempts to raise some issues with one document or
another. Yes, some participants ignored or tried to reject these points,
but others (myself included) did engage with the reporter to tease out
where the actual issues lie, whether there is a prerequisite for the
perceived issues that is explicitly out of scope for the work, whether the
proposed mitigation violates protocol invariants, etc. So, I am hopeful
that the current situation is not as dire as the picture you have painted
(and we will, of course, work to improve in the future).
As I said, I'm willing to believe that that was a rather unique set of
circumstances, and yes it was around 2012. I don't even remember why I
took an interest to it... although I was working on some stuff that
required OAUTH around then in a phone app and probably got me think
about the issue. From the wg's standpoint I was a random nobody though
Barry of course knew me. If this thread is solely to entice security
researchers to lob papers over the wall, then sure. But as I mentioned
earlier it would be nice to actually interact with the person who found
it (or thinks it could be a problem) to clarify and perhaps correct some
incorrect assumptions, etc. At worst, it might result in an errata to
clarify what led the researcher astray, at best it results in fixes that
might have been rejected because the wg didn't understand the paper.
Mike
