I have no clue what you are responding to.
Mike
On 7/12/23 9:46 AM, Chris Box wrote:
This is a very valuable discussion on authentication and identity, and one with big implications for the Internet. But I have to say again: the IETF list is not the right venue to discuss it.
When this thread discusses IETF and IESG process, that's fine.
When it discusses the authentication problem, it is out of scope because this list is defined as being the one for which no other better list exists.
In this case we have a choice of better lists: OAUTH, SAAG and SECDISPATCH. In case it helps you choose, this paragraph of Rob's might be useful:
But IETF does have a process for rectifying problems – i.e., follow the same IETF process as how the original RFC was published. E.g., write a draft indicating the problems with RFC 8252 and marking that RFC as historic. But you would still need to achieve rough consensus to publish, which means that you need to convince a significant proportion of the IETF security community that this is the right thing to do. If you can convince the OAUTH folks then that would probably be the easiest path, but if you can’t then trying to bring it to SAAG or SECDISPATH seems like the alternative path. But it is still possible, that despite its flaws that RFC 8252 still has IETF consensus as a BCP.
I hope you can see the logic in moving this off the general IETF list. If you disagree on the scope question, please email moderators@xxxxxxxx.
Thank you,Chris
