On Thu, Jul 6, 2023 at 2:59 AM Michael Thomas <mike@xxxxxxxx> wrote:
On 7/5/23 1:12 PM, Brian E Carpenter wrote:
>
> I do agree that any actual *action* such as a draft replacing RFC8252
> or proposing a new auth mechanism belongs elsewhere.
>
Also: I had no idea what the proper venue was beyond the OAUTH wg which
would be pointless since they were extremely hostile when I first
brought it up and I'm not eager for another beating down. There needs to
be some process recourse when a wg has gone off the rails even if it's
after years after the RFC was issued. I mean, what if this is being
actively exploited in the wild but the wg doesn't want to hear about it?
IMHO as understanding IETF procedure, if some one is part of the IETF WG (i.e. WG participant that discusses on WG lists and shows up in meetings), then they must prove that they are with full consensus while WG LC (i.e. the first_community round for consensus). If that round finishes, we should go to the second community_round while IETF LC, so did you continue to comment in IETF LC while the IESG asks the community to feedback?
Security protocols, IMO, need to be held to a higher standard overall
where panic buttons are possible as necessary from a process standpoint.
Also the ietf_community needs to take responsibility and not only blame IESG, so both are responsible and let us all fix it if needed.
Best Wishes
AB
