On Thu, Jul 6, 2023 at 1:56 AM Michael Thomas <mike@xxxxxxxx> wrote:
On 7/5/23 1:12 PM, Brian E Carpenter wrote:
> On 06-Jul-23 04:52, Keith Moore wrote:
>>
>> On 7/5/23 07:03, Roman Danyliw wrote:
>>>
>>> RFC8252/OAuth is the product of a robust and very active WG which
>>> has all of the supporting processes to discuss the work. Please use
>>> the associated mailing list for OAuth to discuss OAuth related
>>> technologies -- https://www.ietf.org/mailman/listinfo/oauth.
>>>
>> The point is that Oauth is inadequate. We need something different.
>>
>
> I read the point as being that (in Michael's opinion) the IESG didn't
> do its job when reviewing RFC8252. That seems like a valid topic for
> this list, although of course it is years too late and an appeal at
> the time the draft was approved would have been the only recourse
> available.
The most baffling thing to me is that it does seem like at least 2 IESG
members did their job but filed a "No Objection" anyway. The entire BCP
seems to live and die by the premise that bad guys should be good.
And
where were the security AD's in all of this? Where were the chairs? How
can something so obvious to non-security AD's in IESG review not be
caught well before something comes up for last call? The adult
supervision seems to have completely failed.
IMO, also the ietf_community are responsible for any success or fail per any RFC/BCP. IMO the procedure of IESG needs to be amended that not the WG AD to deliver/review the doc to the IESG, should be done without that AD, to give chance for easy push backs especially for BCP proposals.
What's the most concerning is that using OAUTH for SSO is getting very
common these days and could very easily be exploited with extremely bad
results for high value authenticators. Essentially, IETF is legitimizing
a BCP that is open to phishing attacks at its base. That is terrifying.
Any known_protocol can be under bad attacks, what is new? Security groups don't standardize/publish all their needed technical implementations. Furthermore, it is always easier to attack than to secure standardized_technology.
Mike, I sure hope no bad guys are tuned in here
good guys know that bad guys are hiding/listening, so they don't tell them every thing they will do/add. On the other hand, bad guys don't announce their protocol_attacks. However, bad guy should try to become good and stop attacking.
AB
