On 7/6/23 12:53 AM, Abdussalam Baryun
wrote:
On Thu, Jul 6, 2023 at 2:59 AM Michael Thomas <mike@xxxxxxxx> wrote:
On 7/5/23 1:12 PM, Brian E Carpenter wrote:
>
> I do agree that any actual *action* such as a draft replacing RFC8252
> or proposing a new auth mechanism belongs elsewhere.
>
Also: I had no idea what the proper venue was beyond the OAUTH wg which
would be pointless since they were extremely hostile when I first
brought it up and I'm not eager for another beating down. There needs to
be some process recourse when a wg has gone off the rails even if it's
after years after the RFC was issued. I mean, what if this is being
actively exploited in the wild but the wg doesn't want to hear about it?
IMHO as understanding IETF procedure, if some one is part of the IETF WG (i.e. WG participant that discusses on WG lists and shows up in meetings), then they must prove that they are with full consensus while WG LC (i.e. the first_community round for consensus). If that round finishes, we should go to the second community_round while IETF LC, so did you continue to comment in IETF LC while the IESG asks the community to feedback?
I had no idea that rfc 8252 was going on. Requiring IETF
omniscience is a complete non-starter. Not everybody's day job is
to monitor sketchy work coming out of working groups. AD's can
barely do that. Barely. The rest of us, not so much.
And if IETF cannot rectify harmful errors after the fact, that is
another process failure. Bad guys are thankful if IETF thinks that
last call is sacrosanct and the last word. The rest of the world
is glad that CVEs exist.
Unless it is the opinion of the IETF that the participants must
be full time, this is extremely wrong-headed. The IETF would lose
probably 99% of its participants if that were true.
Mike
