Without wishing to litigate the entire issue here (happy to remove the wider IETF list and just talk on the OAuth group), we never brought any work to the OAuth group because everybody who we spoke to warned us that nothing would get done.There's a term "missing stair" https://en.wikipedia.org/wiki/Missing_stair which describes this phenomenon, where "everybody knows" something, but new participants are forced to discover it through either having someone tell them quietly, or just notice it for themselves....Just as an anecdote, the last time I bothered to attend an OAuth meeting in person I had this to say about it on our internal slack channel when asked:"they can't agree about what they don't agree on".The topic that had taken basically the entire meeting and had been totally unproductive - was a particular key in a JSON Web Token going to clash with a reserved word in either _javascript_ itself or one of the other environments in which this token had to be evaluated. There were people saying "this won't work, just rename the key" and others saying "I like this name and insist upon us keeping it". No progress was made that day.In fact, here's the extract of my report on the OAuth meeting at IETF102 (a detailed long email with pictures of poutine, icecream, and a report on every session I attended). Names extracted to protect the others involved, but other text left exactly as it was, complete with typoes:Thursday 19th: (Aug 2018)9:30am OAUTH: Fecking OAUTH as they say. I came out of this saying "they can't even agree about what they don't agree on". <Name redacted> says it was even worse in the past. What a fustercluck. Don't expect anything workwhile out of this group unfortunately. <Other name redacted> and I were just looking at each other like WTF the entire time.Maybe it's become heaps better since then. But I wouldn't want to have been a new participant trying to get anything done in that session....The authentication flow as originally put into JMAP (before it came to the IETF) can be seen in the initial draft here if you're interested:But we decided in the interests of expediency to just drop it rather than trying to progress that work anywhere at the IETF.Regards,Bron.On Tue, Feb 23, 2021, at 22:00, Hannes Tschofenig wrote:Hi Bron,
I have to respond to your statements about the OAuth working group below.
While we do not pay attention to keeping the charter page up-to-date, we have been able to advance our documents, produce many implementations, and got those deployed all over the Internet.
The bar for acceptance of new work varies among working group in the IETF. Some working groups develop technology that got widely deployed and hence randomly changing specs isn’t such a great idea because you have to consider the deployment situation as well. This is a situation many IETF working groups face. Reaching (widespread) deployment is great on one hand and a pain on the other.
There are other groups, which are early in their lifecycle. In those groups you do not need to worry about deployments, backwards compatibility or even any source code.
In general, Rifaat and I are always open for anyone in the IETF (and outside) to reach out to us, if they want to bring new work forward to the group. Sometimes proposed work fits into the group and sometimes it does not. The work on JOSE, for example, was put into a separate working group even though it was initially developed for use with JSON Web Tokens.
I don’t recall having chatted with you or with someone from the JMAP community on the use of OAuth. Sorry if my memory does not serve me well today. Typically, applications just use OAuth and therefore there is no need to reach out to the OAuth working group.
Ciao
Hannes
From: ietf <ietf-bounces@xxxxxxxx> On Behalf Of Bron GondwanaSent: Tuesday, February 23, 2021 5:20 AMTo: ietf@xxxxxxxxSubject: Re: Diversity and Inclusiveness in the IETF
Thanks Fernando,
I would add to this document something about inertia, backwards compatibility and existing dysfunction.
Many ideas are shut down because they aren't in the right place, or don't fit comfortably into the existing corpus of IETF documents.
When we brought JMAP to the IETF it was after a long process of socialisation, and still there was significant work in the first couple of meetings just to convince people that "this is worth doing, the existing work the IETF has done in this neighborhood is not sufficient".
JMAP also had an authentication scheme in it originally. It was a good authentication scheme, but applications don't do authentication schemes, that's the bailiwick of OAUTH, where ideas go to die (in my experience, that working group has been dysfunctional for my entire time at IETF - exhibit 'A' being the "Milestones" section of the about page, which lists 6 items all due in 2017)
So we just removed all mention of authentication method and handwaved "the connection will be authenticated", because we wanted to publish something during the decade with years starting '201'.
... all that to say. One of the biggest barriers to entry in the IETF is stumbling across an area in which no work is able to progress due to entrenched issues within that area.
And I'm not arguing for "no barriers to entry", because there needs to be a sanity check that we're actually producing high quality specifications, and that our specifications are compatible with each other so the entirety of the IETF's work product is a coherent whole. But it's hard to get started if you don't already have the connections to have your work sponsored by somebody who already knows their way around the IETF's idiosyncrasies. I'm doing some of that sponsoring myself now for the people from tc39 who are trying to get the IETF to look at defining an extended datetime format.
Cheers,
Bron.
On Tue, Feb 23, 2021, at 11:07, Fernando Gont wrote:
Folks,
We have submitted a new I-D, entitled "Diversity and Inclusiveness in
the IETF".
The I-D is available at:
We expect that our document be discussed in the gendispatch wg
(https://datatracker.ietf.org/wg/gendispatch/about/). But given the
breadth of the topic and possible views, we'll be glad to discuss it
where necessary/applicable/desired.
As explicitly noted in our I-D, we're probably only scratching the
surface here -- but we believe that our document is probably a good
start to discuss many aspects of diversity that deserve discussion.
Thanks!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@xxxxxxxxxxxxxxx
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
So you have never reached out to us to try to bring any work to the WG, and based on attending one meeting and hearing from a few people, you formed a strong opinion and declared that "nothing would get done"? that seems odd.
For your information, last year we published 4 RFCs, and we already have 3 documents with the IESG and more to come.
If you have anything you want to bring to the OAuth WG, Hannes and I would be happy to discuss this with you or anyone that wants to bring work to the OAuth WG.
Regards,
Rifaat
On Tue, Feb 23, 2021 at 6:52 AM Bron Gondwana <brong@xxxxxxxxxxxxxxxx> wrote:
