On 6/28/23 16:31, Michael Thomas wrote:
My main problem is how the IESG failed so badly to not catch this. I
mean, how can the advice "bad guys should be good" get through review
of a BCP? So this is really a process problem, not a considered
harmful problem. I'm having a hard time coming with an alternative
word describing how bad this is.
IESG will make errors from time to time, or fail to have perfect
foresight, as do we all. I'm not nearly so interested in pointing
fingers, as I am in identifying the problems with OAUTH and fixing it
(if it's fixable) or deprecating it.
IMO the correct action is to reclassify the current OAUTH as
informational (since it's still being implemented and would likely to
continue to be implemented after publication of the RFC), and recommend
against its use. I personally think it has too many problems to fix,
but the need for something in approximately that space will remain.
I'll reserve judgment on whether there's anything in OAUTH that is
salvageable in some form or what it should be called.
OAUTH probably does deserve a considered harmful draft, but at this
point it is just pissing in the wind because nobody will misusing it
will listen. I have been writing a blog post off and on about this and
me hitting the publish button would have about the same effect.
People won't listen until enough other people start talking. When
there's an effort to suppress constructive dialog, it's even more
important to talk.
Keith
