On 7/5/23 1:12 PM, Brian E Carpenter wrote:
I do agree that any actual *action* such as a draft replacing RFC8252
or proposing a new auth mechanism belongs elsewhere.
Also: I had no idea what the proper venue was beyond the OAUTH wg which
would be pointless since they were extremely hostile when I first
brought it up and I'm not eager for another beating down. There needs to
be some process recourse when a wg has gone off the rails even if it's
after years after the RFC was issued. I mean, what if this is being
actively exploited in the wild but the wg doesn't want to hear about it?
Security protocols, IMO, need to be held to a higher standard overall
where panic buttons are possible as necessary from a process standpoint.
Mike
