> On Jun 28, 2023, at 4:31 PM, Michael Thomas <mike@xxxxxxxx> wrote: > > My main problem is how the IESG failed so badly to not catch this. I > mean, how can the advice "bad guys should be good" get through review of > a BCP? For what it’s worth, I see two IESG members did acknowledge the issue you raise while the document was being evaluated [1], even using language very similar to your comment quoted above. Adam Roach’s ballot says, "The thesis of this document seems to be that bad actors can access authentication information that gives them broader or more durable authorization than is intended; and appears to want to mitigate this predominantly with a single normative statement in a BCP telling potential bad actors to stop doing the one thing that enables their shenanigans. For those familiar with the animated series "The Tick," it recalls the titular character yelling "Hey! You in the pumps! I say to you: stop being bad!" -- which, of course, is insufficient to achieve the desired effect." and Ben Campbell’s ballot says "I agree with Adam's general sentiment about detection of bad behavior vs asking people not to be bad.” Adam’s ballot goes on to note that, "I see that there is nevertheless "strong consensus" to publish the document”. This gets to the heart of the matter: it’s not in the IESG’s remit to substitute their preferences for IETF consensus, which is what I take Adam to be ruefully acknowledging. For similar reasons, to your earlier, > On Jun 22, 2023, at 3:09 PM, Michael Thomas <mike@xxxxxxxx> wrote: > > IESG should move that terrible take to historic. It’s also not in the IESG’s remit to unilaterally reclassify documents. The normal way of doing that is (as AB hints) for someone to write a short Internet Draft called “Reclassification of RFC foo as Historic” or the like, and progress it through the normal process. You can easily find examples by searching the RFC archive for the string “historic” in the title. Of course, part of “the normal process” involves getting IETF consensus to publish. It also may be interesting to look at the email follow-up to Adam’s ballot [2] although for all I know it may only be rehashing positions you’re already aware of. So while you may view the document as wrong-headed, it was evidently not approved in ignorance of your point nor do the document authors appear to have minimized or disregarded it. Regards, —John [1] https://datatracker.ietf.org/doc/rfc8252/ballot/ [2] https://mailarchive.ietf.org/arch/msg/oauth/1gAqHXoqzMW9uYavDqOECreKq0U/
