On 6/28/23 2:51 PM, Keith Moore wrote:
On 6/28/23 16:31, Michael Thomas wrote:
My main problem is how the IESG failed so badly to not catch this. I
mean, how can the advice "bad guys should be good" get through review
of a BCP? So this is really a process problem, not a considered
harmful problem. I'm having a hard time coming with an alternative
word describing how bad this is.
IESG will make errors from time to time, or fail to have perfect
foresight, as do we all. I'm not nearly so interested in pointing
fingers, as I am in identifying the problems with OAUTH and fixing it
(if it's fixable) or deprecating it.
I don't think there is any point in trying to deprecate OAUTH itself
since nobody is going to do anything about this unless it gets actively
exploited in the wild. The BCP, on the other hand, can be deprecated at
any time. I can't imagine that anybody deploying OAUTH first checks with
rfc 8252 so it being undone just undoes a mistake pretty much for free.
Mike