Re: [OAUTH-WG] OAUTH Report for IETF-83

[Eran Hammer <eran@hueniverse.com>]

> -----Original Message-----
> From: William Mills [mailto:wmills@yahoo-inc.com]
> Sent: Thursday, March 29, 2012 11:13 PM
> To: Eran Hammer; Derek Atkins; saag@ietf.org; oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAUTH Report for IETF-83
> 
> Thanks for the process lecture....  except we already had extensive
> discussion of same in the WG meeting...

The comment shared with the list was:

"There was also consensus to include Simple Web Discovery (in addition to, and separate from, Dynamic Client Registration)"

This "lecture" is my attempt at understanding how the people in the room (I was unable to afford flying to Paris or be up at 4am) got from the Dynamic Client Registration proposal which does not even mention SWD (but does rely on an outdated version of RFC 6415), to including SWD as a "separate" item without any direct link to OAuth (other than "interest in the room").

Since the chair implied that there was already consensus (which is a very significant IETF process statement), raising process issues is one tool the IETF provides for those in disagreement.

> Partially this issue was raised because my draft does a discovery thing and I
> want this sorted out to figure out what hooks I need to put in so I can get
> done.  I want to be consistent with whatever will be the chosen standardized
> usage. I really DO NOT care how we solve the problem as long as it's solved.

I DO care how we solve this problem, but more importantly, defining what the problem actually is. 

> I think your point that host-meta and LINK/REL solve the same problem is a
> fair one, it came up in the room.  Another comment in the room was that for
> JS based stuff JSON is far easier to deal with than XML, and I think that's
> probably also really true, so there are some competing isues.

This just shows how little technical due-diligence was done by this group.

RFC 6415 provides full JSON support. The WebFinger draft which slightly extends RFC 6415, makes JSON support required and adds the 'resource' query parameter [1]. A additional 'rel' query parameter has also been proposed and is being discussed on the APPS discuss list.

I guess my question is, why isn't RFC 6415 by the simple virtue of it being a publish IETF proposed standard RFC the default and obvious choice here? Why isn't this discussion framed in terms of making enhancements to RFC 6415 (as already in progress by the WebFinger proposal, which BTW, is also under discussion for IETF venue) or in terms of discussing why RFC 6415 is not the suitable choice for the yet-to-be-defined OAuth discovery framework?

Is this group even aware that the 5 years effort (!) leading to RFC 6415 was primarily done for OAuth discovery? There is so much relevant history here being completely ignored.

If the OAuth charter is going to mention SWD, it must also mention RFC 6415 as an equal alternative to be discussed by the WG. The charter discussion is clearly not the place to make this decision. In addition, if this WG is going to busy itself with helping find SWD a proper home, that discussion must also include finding a proper home for the WebFinger proposal, given the clear IETF conflict in promoting both.

The discovery solution adopted by OAuth is very likely to have significant influence over future web discovery beyond OAuth. The stakes here are pretty high.

EH

[1] http://tools.ietf.org/html/draft-jones-appsawg-webfinger-02#section-4.2