Trying to step away from the "big vendors vs. users" discussion...
I admit I have not followed events in the oauth WG, but I did read
Eran's post and his own follow-on comments, plus some others' who were
burnt by our processes. Some may want to construe it as "IETF bashing",
but what I'm reading is three concrete statements that IETF members can
respond to, and (if we accept them as true) consider how to address in
the future:
- A Web-focused protocol was forced to adopt enterprise use cases.
- The Security Area did not do a good job of providing the protocol with
useful review/feedback/support. (The original wording is much harsher).
- The third statement is a cliché as far as SDOs, but we still need to
face it: simple protocols coming into the IETF are made complex,
sometime too complex, in the process.
Thanks,
Yaron
PS: some background: OAuth is an important Web security protocol, very
widely used (Wikipedia link here). The blog post was written by the
person who has led (or co-led) the protocol for years, and actually
brought it into the IETF.