Hi Chris,
Please note that this is an ietf_process discuss regarding ietf_security_area_and_WG process, so if you are having your hat to moderate the discussion, please help us to bring IETF_process_responsible_with_hats to discuss with one participant complaining about such process.
I hope we get responds to all complains from Sec_ADs and WG_Chairs (while having their hats on to help progress in this thread). I hope you enable the discussion to be seen by all participants in IETF.
This will be my last comment and last message in this issue.
Take Care,
AB
On Wed, Jul 12, 2023 at 6:47 PM Chris Box <chris.box.ietf@xxxxxxxxx> wrote:
This is a very valuable discussion on authentication and identity, and one with big implications for the Internet. But I have to say again: the IETF list is not the right venue to discuss it.When this thread discusses IETF and IESG process, that's fine.When it discusses the authentication problem, it is out of scope because this list is defined as being the one for which no other better list exists.In this case we have a choice of better lists: OAUTH, SAAG and SECDISPATCH. In case it helps you choose, this paragraph of Rob's might be useful:But IETF does have a process for rectifying problems – i.e., follow the same IETF process as how the original RFC was published. E.g., write a draft indicating the problems with RFC 8252 and marking that RFC as historic. But you would still need to achieve rough consensus to publish, which means that you need to convince a significant proportion of the IETF security community that this is the right thing to do. If you can convince the OAUTH folks then that would probably be the easiest path, but if you can’t then trying to bring it to SAAG or SECDISPATH seems like the alternative path. But it is still possible, that despite its flaws that RFC 8252 still has IETF consensus as a BCP.I hope you can see the logic in moving this off the general IETF list. If you disagree on the scope question, please email moderators@xxxxxxxx.Thank you,Chris
