You maybe brought it up within discussion only but not in presentation/doc to WG.Updating 8252 with you authoring new_draft proposal/input can get interest to adapt it,and as long as 8252 is used/BCP then the best choice is to make update_input (i.e. as you mentioned before re_write).
After the last round of incoherent prattling about "native apps
are your first problem" when the reality is that there are
hundreds of thousands of them on app stores and they are widely
used, I'd rather not have another go at that. The problem here is
that IETF shouldn't be compounding the problem by giving users a
false sense of security that their possibly valuable credentials
won't be stolen.
Frankly, I'm beginning to question whether federation for login that involves passwords is a good idea in all cases. OAUTH seemed to carve out a very narrow use case that seemingly is safe for the web, but unsafe for the more general case which is how a huge swath of users experience being online these days. I know that OAUTH didn't have a crystal ball about the rise of phone apps when they started, but by the time the BCP was written it was well established. Telling bad guys to not be bad is not the answer and the IESG should move that terrible take to historic.
Mike
