[OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
"Murray S. Kucherawy" <superuser@gmail.com> Thu, 10 October 2024 15:22 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADBC7C16940C; Thu, 10 Oct 2024 08:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umvogGEsfvot; Thu, 10 Oct 2024 08:22:26 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B31E6C14F708; Thu, 10 Oct 2024 08:22:26 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a999521d0c3so177801466b.1; Thu, 10 Oct 2024 08:22:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728573745; x=1729178545; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/q/iS5bs17twMZQIlrOusYVzKy+oeTxQTmRK+gbmKbY=; b=H4xBM5mwuyF526k3JZzKd2HNZJvwbAcXx/VyA3uoI90IJRr8iUpH/nSb1hXGhx6rkY E3dPa20Vs6tdeqK0gfPxGfrk6qZ1gjwFHxD4KtW5rz6E4y8/zDOOgq5KrqRnocU9OVTL ARdmVELftxahy6k4vyIYiPhGks2goRa2Amu4rsH800pPOPUhzP9Oxu9GgbKeK6EtSlsj o6mXWjTdEhuvStfv5ve/m7b/mKiugGOm8nXnRnrsHNB/tcotneBaS2zkqp2FHR1wC8T3 uccx05waR8YvDVSgDcHqMeD1rykuYYlzvOBgN3Gv1F43U9/96l77IrnLwDCEsHC35Gjm MHJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728573745; x=1729178545; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/q/iS5bs17twMZQIlrOusYVzKy+oeTxQTmRK+gbmKbY=; b=Pnw4gsCIjDcO0nNL3NEJp8Wm3bTvV4nlJX2+ssCz1+O6SNshmzxwFy2pN7KWoPpOMs xvU50eS6ypL1TvYc4olEgIabtKFOI2u2/lc51/kmtNGBE/K3KjzM9Usar9xRJRYniwYV nvhZL//e/ImskMCMC/HwIYPecwlyk4REUC5rGaASDZmD9rUoTPCUs9vX2vYKahXtM9Bn majU8dQWHCCjToS10Nq0hOruKSvfv1iGexE0LdpywDA+qOKTgzxG7qHJi5bAn7twfLL7 LiwZ9PVI5dCnrIWxrHKBJg8XcXQSoqSwrZJZeJ1uhbk9SN2aZBuzG3hNLcrWctoe4+cf 3s7g==
X-Forwarded-Encrypted: i=1; AJvYcCUlXv5mikI80O1bI29PHMh6I6OznCAcalomW2UtckSVlNqjBCNzmmts2RHb/f3Nh/MMa5slJqo=@ietf.org, AJvYcCVTuNao579uN2SPEdLIAipLskpd5CW3fqajNPf3WrtRe6Tuu1apmlozFE4rmpEBAxJVW8FOPj9KVnM+lqjm@ietf.org, AJvYcCWbeVAxGS6V/hkAi3NmlJqnjfTy5EIKME0bS5fWzJf7xm2ZGiVN/2p6FVTDVGqEEPLLgx2Fp6L3xpflW18FLPEQI7zm5rWeRS7DpNb7RNK1DgZW@ietf.org
X-Gm-Message-State: AOJu0YziB3+giH0WbNTu+92r7xLVNHzi3H2oMgs3YVEcCm9i2tJQCpxZ iSpxwxMCHLO7Um6FnPQjbgnD0KlmTbNYX8WvKGOux8xpJbEg7i0LT3lv6huErpINiRWweFTqlft 1T2nrFkDATJ73de40qDlKb4XTaWHJoA==
X-Google-Smtp-Source: AGHT+IGYSZZHqGCTewDRy6az0YwQ0Auwvh9IyWL8ktpZunZw9LqV7jAwaNzfgEH8kuSOFoh2POUNdYpbzwEO9FoCVOM=
X-Received: by 2002:a17:907:e28d:b0:a99:4e2e:6f58 with SMTP id a640c23a62f3a-a998d21a5c2mr600525066b.35.1728573744803; Thu, 10 Oct 2024 08:22:24 -0700 (PDT)
MIME-Version: 1.0
References: <172793236988.1105259.6830337518090622561@dt-datatracker-7bbd96684-zjf54> <PH0PR02MB743070CC3DFE361611BC1BD7B7712@PH0PR02MB7430.namprd02.prod.outlook.com>
In-Reply-To: <PH0PR02MB743070CC3DFE361611BC1BD7B7712@PH0PR02MB7430.namprd02.prod.outlook.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 10 Oct 2024 08:22:12 -0700
Message-ID: <CAL0qLwZcS79PmMewOvyGDiiMCLqQKAbM=izMcQOtcgXjzbQvUg@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: multipart/alternative; boundary="00000000000006f8fd062420f0e9"
Message-ID-Hash: 422ARM6JS5AHVRHWYWVMIGLQHMBFVJEW
X-Message-ID-Hash: 422ARM6JS5AHVRHWYWVMIGLQHMBFVJEW
X-MailFrom: superuser@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/or6bS7cAETsuHGvAFUZ-aCLR12U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Mike, On Wed, Oct 2, 2024 at 11:01 PM Michael Jones <michael_b_jones@hotmail.com> wrote: > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I concur strongly enough with John Scudder's comment about the IANA > registry > that I'd like to discuss it. Moreover, Section 4 of BCP 26 says: > > [...] Newly minted policies, > including ones that combine the elements of procedures associated > with these terms in novel ways, may be used if none of these policies > are suitable; it will help the review process if an explanation is > included as to why that is the case. > > Is that explanation available anywhere? I think John's right, this is a > peculiar loophole, and it would be helpful to know why the WG thinks this > is > necessary. There's already a debate in progress about whether an I-D > (which > expires) is viable in a Specification Required registry, and we're about to > charter a WG to revise BCP 26, so this is actually quite topical. > > Mike> The explanation for the OAuth registration language is that we want > to give authors of specifications proposing to register OAuth parameters > the benefit of review by designated experts *before* the spec is completely > done, so that if problems are found, they can iterate and fix them before > making their specifications final. I've been in many situations, both as > the party registering and as the Designated Expert, where this pre-final > review was priceless and resulted in improvements in the specification. > I'd be open to different (possibly more standard) language that still > achieves this possibility. > > Mike> For what it's worth, remember too that this language was written > before RFC 8126 was. If there's a more modern equivalent you can suggest, > I'm all for it. > Irrespective of that BCP's timeline, I always prefer to err on the side of explaining too much versus too little when doing something procedurally unusual. In this case, I think the explanation you gave here is simple and would be beneficial to include, especially since future authors might take it as an example of the minimum you need to get some kind of custom policy through IESG Evaluation. I would encourage such a sentence or two to be added here. My main concern with the policy as written is that there's a possible leak: If the DE approves something because she is relatively certain a registration is going to happen, but then for some reason that process is never completed, we're left with a dangling registration. What might we do for this registry in such a situation? Should a DE be further empowered to deregister something if this condition were to arise? It would be nice to plug this hole. I'll clear my DISCUSS now, since the discussion happened, but I'd encourage consideration of some review of these two points with Deb, and I'm happy to continue the conversation too if necessary. ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > [...] > In Section 2.1, second paragraph, the RECOMMENDED and SHOULD seem bare to > me. > Why would we allow anything other than what's specified, especially since > BCP > 47 prescribes a particular behavior? > > Mike> This is exactly the same language as used for OAuth Client metadata > at https://www.rfc-editor.org/rfc/rfc7591.html#section-2.2. Since this > spec is entering the same OAuth ecosystem, I'm reluctant to make it > different in any way. > > Mike> I look forward to hearing back from you, particularly about the IANA > registration goals and language. > Well, that's unfortunate. But this part was only a COMMENT. -MSK
- [OAUTH-WG] Murray Kucherawy's Discuss on draft-ie… Murray Kucherawy via Datatracker
- [OAUTH-WG] Re: Murray Kucherawy's Discuss on draf… Michael Jones
- [OAUTH-WG] Re: Murray Kucherawy's Discuss on draf… Michael Jones
- [OAUTH-WG] Re: Murray Kucherawy's Discuss on draf… Murray S. Kucherawy
- [OAUTH-WG] Re: Murray Kucherawy's Discuss on draf… Michael Jones
- [OAUTH-WG] Re: Murray Kucherawy's Discuss on draf… Michael Jones