[OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)

Michael Jones <michael_b_jones@hotmail.com> Mon, 14 October 2024 23:47 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA325C14F60B; Mon, 14 Oct 2024 16:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ttggRyT3Eb9; Mon, 14 Oct 2024 16:47:31 -0700 (PDT)
Received: from CH5PR02CU005.outbound.protection.outlook.com (mail-northcentralusazolkn19012062.outbound.protection.outlook.com [52.103.20.62]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D9AC14F6FF; Mon, 14 Oct 2024 16:47:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BxAYu8bSd5DTPa+53ABu2wmFZYGKXLg9T4aWsxCCdkAgCLWM/j0vBYWxZ2+eamqbY2FQ91AE1k9B+7ogXJuJ6+BIK2vvojd6y8hMQPtgclviwi/DqMFyBlQYCDzLViBB0tDlDOaalaBYzEjXehOXbdhEClE+Oefcj8KPe0+x1J65hu770s17kTSkLp3/C4RU34jAIDsaZbNGOcfsNwuKkEAw9MQbKd93uZDjcWFZ6w+ISCCUNVRZ8Aq/Ch0wJoOs/i0OthPNXGz7zRqiuvBO97AJVL7kl25VIsZQE5zqiWLm0Uk3ss8zqdmCegHtOZNIdKdYr2rXlCbglrR3OdXBCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=esFeyfNlcwpnDeJnSgDuvqTkw08A6+MMsZ7RMVcY2yI=; b=V9tU7lJYZ6XjCUEYzMcL6kcMPk3LuI/IyPdE0U0w2dIw0RfjWkzNrF466GWmiWyZjyCGySFKwv5re1to4ZE8FIOegE10Y+cg2iVrHXocG/oCdUL9Hqaziy+OTZxN55fEjzN6YPI8IpFh7FsvPl0gELQ3RYGAVJFnhd8LqEHmwi3qFsVfEturzbA/KajhxtvZwf1v65lev1tD+bnyZf9+4Ne3ZvMucN2ktOwMZsRucR/jsiO7AW6nWDADt+RN5vV9HXrxQyLwpuX5by6tmKH3Q1oNgTUnKloQXRLno8m4LzovyBi8pK9eW418bgPVHxSLsjRV4G8e31/ozAKsKPQ63A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=esFeyfNlcwpnDeJnSgDuvqTkw08A6+MMsZ7RMVcY2yI=; b=miWHfmjxksos+fUN0YWa+aeBN6iKYnEvJT0NFMJtIvjBCcI3lUH9qm+YZ6AcfK/1SvmxK8R2B+AL60Od5isOvyykKYE6GB9mEdCM3ixMGKH8VP1DlbgfYjKBsYIv7y72kZsu1R+rpQiO3FFhgLQZQ/awxDmSWVIW0EmAO+VX1JsShnh4Yntp12+HOHJ3+bk6gEx/O3yxec2F31oTFrGOV04X/AAxV8vLKB7mFb8nZrOFZmxRb6AkEsdw8+cAlDzQHxsTkDoka6CFTN/9+z9y1AHSnfy9Djn91TB9c4Hz5j8QF/9UqJb/hRI26/8Mrl38UiBMLLaiBHAX5hNrZHlSmQ==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by MW4PR02MB7234.namprd02.prod.outlook.com (2603:10b6:303:76::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8048.27; Mon, 14 Oct 2024 23:47:29 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.8048.020; Mon, 14 Oct 2024 23:47:29 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>, "Murray S. Kucherawy" <superuser@gmail.com>
Thread-Topic: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
Thread-Index: AQHbFVLmTBf0uJViz06wt3Klgcr3/rJ0gIHggAulNACAACn1IIAGrCxw
Date: Mon, 14 Oct 2024 23:47:29 +0000
Message-ID: <SJ0PR02MB7439CC9D556D99F9ADD26465B7442@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <172793236988.1105259.6830337518090622561@dt-datatracker-7bbd96684-zjf54> <PH0PR02MB743070CC3DFE361611BC1BD7B7712@PH0PR02MB7430.namprd02.prod.outlook.com> <CAL0qLwZcS79PmMewOvyGDiiMCLqQKAbM=izMcQOtcgXjzbQvUg@mail.gmail.com> <SJ0PR02MB743961B8799A42E0673B3615B7782@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB743961B8799A42E0673B3615B7782@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|MW4PR02MB7234:EE_
x-ms-office365-filtering-correlation-id: b921c418-1a39-4127-ce55-08dcecaa90cf
x-microsoft-antispam: BCL:0;ARA:14566002|9400799024|7092599003|15080799006|8062599003|19110799003|8060799006|12050799009|461199028|1602099012|4302099013|3412199025|440099028|102099032|10035399004|1710799026;
x-microsoft-antispam-message-info: fN04L2F38McYJfPhtFdG/3eos/9kHD+4oVQvkvPdFDHvW3eTqQTNzh4zzJsnvMNgqGpngJb3UVH5ovchM3TIhQCs6IyCveRm2jyU7oRLcwxnVHUMcFtCaQ7b0KAc4Eiutrlwbc/dPwztRnQY+IOLmuLCn1zf9tAyz2Y9q3EANV5RpepB0dPeR/sqPTpSywEnBCTq6Q+SEoXCXw0cYqKsY1YuHcNww4SyVBi7BJZlZDRCuK9+6sWXsSJ8EdQSk1QD15RkwPuVlwRixqNddYsM95tCHAX1Eln9W+pkX9nZ059NFStv2+EtRIKZ1ysVWJPx/LDr5hSun9b0w1VgXmfDXph/mo59333w8Y4K5n7N4cLSdKmftwJkUWaXEK81s7Jv10DI8E3So9fUJWLOTrzrDfR3x2hKW2bebyxrfU7jhw1xghanmqPcr7MmyJGAIq1BYSYdJ11Ow5EQBx0LfZ61jH0nTL+vKb416gEHECYDJmgN8MMhfXoSuCESm2aY6Vac+C3GqaSY6yw0g7GIg0jvjWN+pWqCRWytc6V3KDadiTBHaW65bBUAQd8lD4rtfF4eAMX8o5SCXE6AugdmOGXYKAMWUq8vYu7qNLSD0rgsk6wXf++0xXNBQmMb/TTJF453SuoL32RMjqahGQ8sQ8CqzqalCfkquQvBKxQ4JuI0V0CRoutQN+SzvgPvmEpqsFtVHqOxKy+V556d41N02ssPBYBg9N9tywehY0T8gZu0M5G8q6DFgb82YNlYA6DMKo4FipFu1O0Xyr8t0c1okBpQIvVDiueK/dejktXLHbZRCycXmxDFq5LuTDwOzRj44LpDAhIkQ4BCEyO6X9+EO2x6DK/YKkvZO+3TqqG4OjD6g61kBjeJxts5nmLxiZcmm5Km7ZTo1CV/+Xjhzlz9pu7rL1vV7SPdQFZZzJedizr7N90ZjTE7DPPqZYh3CMAcxj1E37ul/GaBOkjY1iNWzhMkeaO5liTn9B2UKESq+l6UvLU=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: j8ITJ2OpoHOm+rS4wuRgVWH4V3j8rZLyKJG2dAHfmwrSL1IhJ1GL9QpUyccH/ToYdWBG5jOKd+kzFsi9TdsUI7fX3Xj+4oRLR6dUjfdfYR07p0jIdBc998s5AkQVJyAPb1KS9OzNohKiIyQEcthCYyfSzdQ4hHnNsXGcE39FWmp8ILJPN7b+u0CzLm06M2Fa+GBsY8HavbfUX+VkMNkRANYHXDKMtVmrTYHp44ZD/LqdFmKU1YIvZgpXpahK19UN11y0n8tazeclcbxqy18DDBWKsYCWUz0TaRw5R87mLWXfNOBmhDvkrY6AVluI7UPq7LCJjIf0NYdXrV3vWI89NZs5rbdsfeok6GBoUn5kl0ntMv9wrfnZbUXMy153VTP9/Hwetzg+0u4R6xwnPkMu8q9qc3ZBcoExzvdTOVaNINdg1Gyl86eNkssttLa0EfN6xEIxZYKiGoveVn9YvXX5XXTQ5AokGsXq1z9NMzllXAbOs7YPNUX1a1kEyYApFHFEWibFHLzQBX5ma7aSxZKsUchNVuYLJA2FN5+GeW3HK2jQrud/O1Uq/3z+JTpM3LOC2GTZQXAyslLZHr+DV7SxD+qzLuSalHHdlZnLTsPNGO6YqeaxnDDhUNN8ZwZk2nsohi7+xODcdjM8FqRumRn+w5I/yqO86Y/p2lefsZlXs8d3Ve4UA3OSr5LlYLEHERjr3edzq5E0wU9i1bIe7VOJ15tow4o7SOvmdF8O24cirfLGlfkWFISkFaIAScT5Pz1RhkxYuUOIEvx9HqGP5tsobKp/Ef9efBvT4FC9BHQPQFYUSOlH0J+ykP3kjY3G8ft5KcTge3IxNPJaOSUaHbesnQePCL3/yxSERU8ke5ADZMm45k+WU47wO94WkjrNBgoI1iaBuBKomNQnQ7trw41WEaqRgGUj3dGQw7XO2l54i9OWAfO2v0RPWe/zQHLKj7lV7eMMDlE9n2hoBVrqnl9Si511w2HhDjQWlegrMQye2ZN8ZQlvy6oJwh/T4vdQ2bcUG68XORplEyL3gPOMNeGtSzS9xjYgAnMUCd5qyJP1+2WdQtLM1MnWSL4m4IuvVEOZcEQzavj0UTMtGfMvnyABjvkGc+8QWt9OJPLr0ktu7mG2Z6w0O6MewX4SpMssTI5G4B6YIHswf3qSeaZy13dgAF1JVQE5eLqXGibmZZwxuCAMYZsbvpkvado70C7nZuHl6HWVLQzQPjszYBKemTid/fCYnz1pLw3z4KHhZOfLSHdjdrcZDjyAX7J4ita9Cz0y
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439CC9D556D99F9ADD26465B7442SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: b921c418-1a39-4127-ce55-08dcecaa90cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2024 23:47:29.7485 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR02MB7234
Message-ID-Hash: ILWNLW6F2Y5HK3FPS45HACMHDZBPOK4I
X-Message-ID-Hash: ILWNLW6F2Y5HK3FPS45HACMHDZBPOK4I
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ee-aqKsHt4CN5ztXKzrcT8dAY74>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I’ve applied one change to https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/62 suggested by Amanda Baber of IANA – changing a “they” to “the Designed Experts”.  As it turns out, I was on a call with the IANA people for another reason and was able to review the new text with them in real time.

                                                                -- Mike

From: Michael Jones <michael_b_jones@hotmail.com>
Sent: Thursday, October 10, 2024 10:54 AM
To: Murray S. Kucherawy <superuser@gmail.com>
Cc: The IESG <iesg@ietf.org>; draft-ietf-oauth-resource-metadata@ietf.org; oauth-chairs@ietf.org; oauth@ietf.org; rifaat.s.ietf@gmail.com
Subject: RE: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)

https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/62 describes the motivations for the IANA registration procedure, as requested, and closes the loophole.  Let me know if you’d like any changes before we merge and publish.

                                                                Thanks again,
                                                                -- Mike

From: Murray S. Kucherawy <superuser@gmail.com<mailto:superuser@gmail.com>>
Sent: Thursday, October 10, 2024 8:22 AM
To: Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>>
Cc: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; draft-ietf-oauth-resource-metadata@ietf.org<mailto:draft-ietf-oauth-resource-metadata@ietf.org>; oauth-chairs@ietf.org<mailto:oauth-chairs@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>; rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>
Subject: Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)

Hi Mike,

On Wed, Oct 2, 2024 at 11:01 PM Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

I concur strongly enough with John Scudder's comment about the IANA registry
that I'd like to discuss it.  Moreover, Section 4 of BCP 26 says:

   [...]  Newly minted policies,
   including ones that combine the elements of procedures associated
   with these terms in novel ways, may be used if none of these policies
   are suitable; it will help the review process if an explanation is
   included as to why that is the case.

Is that explanation available anywhere?  I think John's right, this is a
peculiar loophole, and it would be helpful to know why the WG thinks this is
necessary.  There's already a debate in progress about whether an I-D (which
expires) is viable in a Specification Required registry, and we're about to
charter a WG to revise BCP 26, so this is actually quite topical.

Mike> The explanation for the OAuth registration language is that we want to give authors of specifications proposing to register OAuth parameters the benefit of review by designated experts *before* the spec is completely done, so that if problems are found, they can iterate and fix them before making their specifications final.  I've been in many situations, both as the party registering and as the Designated Expert, where this pre-final review was priceless and resulted in improvements in the specification.  I'd be open to different (possibly more standard) language that still achieves this possibility.

Mike> For what it's worth, remember too that this language was written before RFC 8126 was.  If there's a more modern equivalent you can suggest, I'm all for it.

Irrespective of that BCP's timeline, I always prefer to err on the side of explaining too much versus too little when doing something procedurally unusual.  In this case, I think the explanation you gave here is simple and would be beneficial to include, especially since future authors might take it as an example of the minimum you need to get some kind of custom policy through IESG Evaluation.  I would encourage such a sentence or two to be added here.

My main concern with the policy as written is that there's a possible leak: If the DE approves something because she is relatively certain a registration is going to happen, but then for some reason that process is never completed, we're left with a dangling registration.  What might we do for this registry in such a situation?  Should a DE be further empowered to deregister something if this condition were to arise?  It would be nice to plug this hole.

I'll clear my DISCUSS now, since the discussion happened, but I'd encourage consideration of some review of these two points with Deb, and I'm happy to continue the conversation too if necessary.

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
 [...]

In Section 2.1, second paragraph, the RECOMMENDED and SHOULD seem bare to me.
Why would we allow anything other than what's specified, especially since BCP
47 prescribes a particular behavior?

Mike> This is exactly the same language as used for OAuth Client metadata at https://www.rfc-editor.org/rfc/rfc7591.html#section-2.2.  Since this spec is entering the same OAuth ecosystem, I'm reluctant to make it different in any way.

Mike> I look forward to hearing back from you, particularly about the IANA registration goals and language.

Well, that's unfortunate.  But this part was only a COMMENT.

-MSK