[OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)

Michael Jones <michael_b_jones@hotmail.com> Thu, 03 October 2024 06:01 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6037DC16941F; Wed, 2 Oct 2024 23:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hx85Z9HT7N7Q; Wed, 2 Oct 2024 23:01:05 -0700 (PDT)
Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazolkn19010008.outbound.protection.outlook.com [52.103.20.8]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F071C14F685; Wed, 2 Oct 2024 23:01:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iutbak3iVHtLNp/BmBcFciRlANjEwS7zUNd0FSAxqABKGnnIPqJgcZgGOy/5Tklv0q+kvb0bnR/3yWwoddELOVRq01C1a5OHnRuN+S7Ppl70HIgY6XJ2Ij28EmQ7DegrqRzdLySEAGbI5rXo401JA7D2MNpRLiNKhDjIExsWHJMtzwd7ESgexErm0N6aRgYumHLZ+MHQ024pKEh+N5CiC83ei8X4GYR8hsNpVz8//qK1XMqcMIgRQEUwCZ5NLjJVHGSsmJQADIl9JNs7q3krhXpgytgPqMClFVU1RwUBWNO0LNyDt72bmrSGJ4qGq7SsBc5PVnXLAFtmQtQO60G6Kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kS7TphTHnHiglBQPgp4TpIRdghLPHsV2jlCz0qPnzpY=; b=ypX3sbE9fD5Zl54+Iq12+hly2XeZ9JcAwCTYxK9DnCwAoSAa8KIklyJigV4w1ZcXo17DE5dLiwZt0pKbHspQDbWuGivQtgDX2VpiaBhbXPxpfFs+zwuwiBgSxgRBL72wRnI8fTx1fit0xFtz5WR5tBdIlOqsSgL9qk8TYp0tjiy4skAxq3n1InRwP2cRvw/ldy7Rh8ztCFmR2BdBwBHyl13JWpktq1trG2aP2Dpx0OM18M3RmW2iJjTqhRrq6aSYtlrWtEYZuW1YFxTdW39fdfJXyDVmzExYJ25eKLQIMjVdEjF93ZjnaE58mdAm4Xn33VnaFfYg3kWpgTIZztqYgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kS7TphTHnHiglBQPgp4TpIRdghLPHsV2jlCz0qPnzpY=; b=NzYmoD6E2TNfhCaDaVXO1qwFMY+Am1Uvv/STvnfVFSNyyZhP8hQtwMBrChLBhqrV6E9cVmEqU7AYVlbcqeGBuRklogJm5WLeqUJFlRx9zbfbvjVkzPNOvXMn4jsFyaU4Ekfe1LhPZt/WMvYhJ+/dw0M6TAuckRky0aMDx1Y1XUa3KTt50AjvhgPlJWn35yPGevu7JD4QoS+pSIADm/Cfhal3eF//rIp1g/a5ppbLD+jo7kBjzOEsWKLmDw+K43d0UmfcJKHL3ZBeNbDkMwnMy8Iu48Zx6mKHatPEI59ug8mCa3Egc0fSLKlSaoG4Yv3UCKx5V+3TN0qQYuN/AfA5Ug==
Received: from PH0PR02MB7430.namprd02.prod.outlook.com (2603:10b6:510:b::9) by SJ2PR02MB10170.namprd02.prod.outlook.com (2603:10b6:a03:55d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.16; Thu, 3 Oct 2024 06:01:02 +0000
Received: from PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::67ac:16c1:95b5:fcdc]) by PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::67ac:16c1:95b5:fcdc%6]) with mapi id 15.20.8026.014; Thu, 3 Oct 2024 06:01:02 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
Thread-Topic: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
Thread-Index: AQHbFVLmTBf0uJViz06wt3Klgcr3/rJ0gIHg
Date: Thu, 03 Oct 2024 06:01:01 +0000
Message-ID: <PH0PR02MB743070CC3DFE361611BC1BD7B7712@PH0PR02MB7430.namprd02.prod.outlook.com>
References: <172793236988.1105259.6830337518090622561@dt-datatracker-7bbd96684-zjf54>
In-Reply-To: <172793236988.1105259.6830337518090622561@dt-datatracker-7bbd96684-zjf54>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR02MB7430:EE_|SJ2PR02MB10170:EE_
x-ms-office365-filtering-correlation-id: 806ee5d2-61eb-4d7a-438b-08dce370c24a
x-microsoft-antispam: BCL:0;ARA:14566002|19110799003|461199028|15080799006|8060799006|8062599003|7092599003|102099032|4302099013|3412199025|440099028|10035399004|1602099012;
x-microsoft-antispam-message-info: TYlihccxjVWe/QrqKvxrAzRmvD7Jk8mzPssM3hbsP+dyZqFUQbqkVNjT/8Nz2PRlOxB1mryqjwM6cP36srFo3sULMseCv5KFmX0OBJEYL2pgRGcNxva1YMb/ScXcIy45Xdzgeceael29WDF1Y4+N2cWvf5HkKRFi3tXxnh2lXz2eG4LEiOUrgtyVeFrPd8L8iqy37sDTTlfYVurGhS3uceDBGrU8+id6psRXMQui/KnOFvK+vnt60uELZc1FsewMnM2VUweZUhHfP2+I6wRlgWUZuvaSApTq3bjaU297WVlolK1c+B1I47G0fIsaf3D9pRmoo50EfuNpBZgeDmbJrys5en02Fq57rpWRCktbDF3Hdqs9DzND8Ys6KGNd9qZ4LTzgTrog+ODXjFcVRVuDq4igVd7nFaLuQ540afzN85F+260jemFkXHS9h+vv0EfrSar1pQ9/rpyDWpeMCTJtPOjP66OFyVueeg6Tq2KyBxuEC7GrcaH/niyG38V80TmAgfRqPlwbyfLW44j1JI4kJ8Qg4GTdmho5rVDkkkZTPCaYlT6FKXUw62S+YXP6EIXz18ZD4vCYGos4ANDKgrMJLCRlHO8E9EnRBZ/nyvzf0IpeJc3TgOic1c56NsM5aXEDdNcgddUQj8/HnbxpppOOgcAiP07ecl4mSMypSAfjIRzMfjcCvL6fBia3ORgCopRDpuwtxEldae8ojTNWocC+2pOQzY3o2rCalSjDWYFKVA4eFKrE45z22FmhrkJXR4tDdQUubJwBUN3X7nm0o/sk/Mxt/umW6PXJTKpQy9IAxPMwtPnBL+5RP0HoeyIKRu6VR55pLJH1vzk/7yPcl+Ky6/m8OklO9ziUBzuVoeu+gXcKB0gRuOcWOupqh2cEjHPx
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7LXe40zWF6gK2EJ3b+BWmwrkAT5KPSwA/O9nwPnHUYwABrT54WyJQ6Yg86p8qMEdBb5roODBNbC4/oPcWmKjQl+dqIFa8aKjdBQOETCRNMlDqc4y5jhrdAw75aUyXyYZOyMGu2OebPPJP7h2GAD6vIpP+ZF8aSakl4Tf/zWFd+Uk73wwPSZgzMDBEeY7cZ5uDhQ4xayv3rWfIfMdXjM/j1aVa7Dn67fOt9MNoNTepV4nM/sMenPoATjGSThzCCS6IMObLxtPVzOgV9O0WZLQgQ62qyu4Q4O1FjZctrlOJtev9FKkRdNLwJcWcXzkQTZmaJGOZwuYJlabK9Fc6plMUNBAsLqMPI5t2GhrJ6/MfggfyC7oI40Ss3UbHoAB+XOTp+vqBO7Esh6N2sWMYt6MJmeCHAG/HlcQQJ1A5OHifY6qJsfUfdVtSB51q5dlYPss26r1TMKmVib0ypOKCmsnc+YSKQQLJTyBEGtt7VYmvvzD7Xh3dL9p3JHOLCyl1bmT/QVGxNIUt5twyrPuKsdEh8FVQM7wwhrTsGCnrc6T1YwfJBIywNkdq+SbOuKodhtUUwGS/j2Boaej82aBO/6EloPjiw8n09NINOZWc4NR+RtTBE3cEuulZq+ZoMHjOedvJonJLG0R3W+pDQvP4PwlKebL98Zyv3b8hstOP1C/g4b8eruAnAnQulwVa3WD3TmbHNfQTeXVMDy55HnN1HXCizjiooj/8TV2HERUe0Z63D8Mo6sMCZ6uOTGeg9NDI8nS+Jl6vtveivAQvLRHyJ5Chnr/BDgrZ+CaS5cEC0Xk0QS+CINfJped13fWlKU/VUXaCrLtk2cInz+WVlka1XnRC1zK3DMrMCx1pWLOl8GUWVV61xvC77MagiLwu8j9/I5Hhle7xcuvYnVHlMojOiTB77R/Rikx9UoK+jzKDZdw/bCV6ewELKwoexglMQHS2EZDtFxvSZSW8Uly3tfHLFHgsrjjH0EhTqoUrBPaMr4ydRajDivyy98myEFcbNe1CIfX4YMQZoP3jTSGOoHCikQdRavInRzvnLn2RJ+ilWl+uPGevdGZWxMt+dN9bp7dA/vM23NNB9/daMtHq6VJ5HJiKU1bxvXF797SLawP87+0Em15tYrSERfFWUAqt/i+BsWi0h3XUNJVneY+sCwfuNLw218nzlSk62F3F1uTxmWIWPKJ3MKRPVwaZRnlgFEFshWcmZaIJ1xvLbhJ8tliiY2AAlf3WWJ593TWWDmSo49fSzxu7xeL09jTTslI8/RKdN0mC2i9O7uBAVpALyyCl3tQlE8ZqToHnH2aQrDIefSa+Up0TzWwRnUsjdj7oreWq/6R
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7430.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 806ee5d2-61eb-4d7a-438b-08dce370c24a
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Oct 2024 06:01:01.5125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR02MB10170
Message-ID-Hash: CUMCVPOU54ABAUZENN3P2QKUOB3UJQ5L
X-Message-ID-Hash: CUMCVPOU54ABAUZENN3P2QKUOB3UJQ5L
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UhcYmDEyIghDGYxdaWDuOIEfvqs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Murray.  Thanks for taking the time to review the draft.  My responses are inline below, prefixed by "Mike>".

-----Original Message-----
From: Murray Kucherawy via Datatracker <noreply@ietf.org>
Sent: Wednesday, October 2, 2024 10:13 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-resource-metadata@ietf.org; oauth-chairs@ietf.org; oauth@ietf.org; rifaat.s.ietf@gmail.com
Subject: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)

Murray Kucherawy has entered the following ballot position for
draft-ietf-oauth-resource-metadata-11: Discuss

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

I concur strongly enough with John Scudder's comment about the IANA registry
that I'd like to discuss it.  Moreover, Section 4 of BCP 26 says:

   [...]  Newly minted policies,
   including ones that combine the elements of procedures associated
   with these terms in novel ways, may be used if none of these policies
   are suitable; it will help the review process if an explanation is
   included as to why that is the case.

Is that explanation available anywhere?  I think John's right, this is a
peculiar loophole, and it would be helpful to know why the WG thinks this is
necessary.  There's already a debate in progress about whether an I-D (which
expires) is viable in a Specification Required registry, and we're about to
charter a WG to revise BCP 26, so this is actually quite topical.

Mike> The explanation for the OAuth registration language is that we want to give authors of specifications proposing to register OAuth parameters the benefit of review by designated experts *before* the spec is completely done, so that if problems are found, they can iterate and fix them before making their specifications final.  I've been in many situations, both as the party registering and as the Designated Expert, where this pre-final review was priceless and resulted in improvements in the specification.  I'd be open to different (possibly more standard) language that still achieves this possibility.

Mike> For what it's worth, remember too that this language was written before RFC 8126 was.  If there's a more modern equivalent you can suggest, I'm all for it.

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

On the flipside, I appreciate that so much good guidance was given to the
Designated Experts and even to us on how we should go about selecting them.  It
would be helpful if candidates could be nominated (if that hasn't already
happened) for approval by the IESG.

Mike> Deb and I have discussed some possible good candidates.

As rendered on the datatracker's HTML page, the numerous initial entries in
Section 8.1.2 are all run together.  Could we get them separated?

Mike> The rendering at https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-11.html#name-initial-registry-contents has extra vertical space between the entries.  The rendering at https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-11.txt also has a blank line between the entries.  What rendering are you viewing?  (I can work with the RFC Editor to make sure the visuals are good if I know where the problem rendering is.)

In Section 2, why is "resource_name" only RECOMMENDED?

Mike> Neither of the other OAuth metadata specs require a human-readable name.  "client_name" is RECOMMENDED at https://www.rfc-editor.org/rfc/rfc7591.html#section-2.  "service_documentation" is OPTIONAL at https://www.rfc-editor.org/rfc/rfc8414.html#section-2.  Consistency led me to the same treatment here.  Also, remember that the metadata is primarily for machine consumption - not human consumption.

In Section 2.1, second paragraph, the RECOMMENDED and SHOULD seem bare to me.
Why would we allow anything other than what's specified, especially since BCP
47 prescribes a particular behavior?

Mike> This is exactly the same language as used for OAuth Client metadata at https://www.rfc-editor.org/rfc/rfc7591.html#section-2.2.  Since this spec is entering the same OAuth ecosystem, I'm reluctant to make it different in any way.

Mike> I look forward to hearing back from you, particularly about the IANA registration goals and language.

                                Best wishes,
                                -- Mike