On 7/5/23 1:12 PM, Brian E Carpenter wrote:
On 06-Jul-23 04:52, Keith Moore wrote:
On 7/5/23 07:03, Roman Danyliw wrote:
RFC8252/OAuth is the product of a robust and very active WG which
has all of the supporting processes to discuss the work. Please use
the associated mailing list for OAuth to discuss OAuth related
technologies -- https://www.ietf.org/mailman/listinfo/oauth.
The point is that Oauth is inadequate. We need something different.
I read the point as being that (in Michael's opinion) the IESG didn't
do its job when reviewing RFC8252. That seems like a valid topic for
this list, although of course it is years too late and an appeal at
the time the draft was approved would have been the only recourse
available.
The most baffling thing to me is that it does seem like at least 2 IESG
members did their job but filed a "No Objection" anyway. The entire BCP
seems to live and die by the premise that bad guys should be good. And
where were the security AD's in all of this? Where were the chairs? How
can something so obvious to non-security AD's in IESG review not be
caught well before something comes up for last call? The adult
supervision seems to have completely failed.
What's the most concerning is that using OAUTH for SSO is getting very
common these days and could very easily be exploited with extremely bad
results for high value authenticators. Essentially, IETF is legitimizing
a BCP that is open to phishing attacks at its base. That is terrifying.
Mike, I sure hope no bad guys are tuned in here
