So you have never reached out to us to try to bring any work to the WG, and based on attending one meeting and hearing from a few people, you formed a strong opinion and declared that "nothing would get done"? that seems odd.
For your information, last year we published 4 RFCs, and we already have 3 documents with the IESG and more to come. If you have anything you want to bring to the OAuth WG, Hannes and I would be happy to discuss this with you or anyone that wants to bring work to the OAuth WG. Regards, Rifaat On Tue, Feb 23, 2021 at 6:52 AM Bron Gondwana <br...@fastmailteam.com> wrote: > Without wishing to litigate the entire issue here (happy to remove the > wider IETF list and just talk on the OAuth group), we never brought any > work to the OAuth group because everybody who we spoke to warned us that > nothing would get done. > > There's a term "missing stair" https://en.wikipedia.org/wiki/Missing_stair > which describes this phenomenon, where "everybody knows" something, but new > participants are forced to discover it through either having someone tell > them quietly, or just notice it for themselves. > > ... > > Just as an anecdote, the last time I bothered to attend an OAuth meeting > in person I had this to say about it on our internal slack channel when > asked:"they can't agree about what they don't agree on". > > The topic that had taken basically the entire meeting and had been totally > unproductive - was a particular key in a JSON Web Token going to clash with > a reserved word in either javascript itself or one of the other > environments in which this token had to be evaluated. There were people > saying "this won't work, just rename the key" and others saying "I like > this name and insist upon us keeping it". No progress was made that day. > > In fact, here's the extract of my report on the OAuth meeting at IETF102 > (a detailed long email with pictures of poutine, icecream, and a report on > every session I attended). Names extracted to protect the others involved, > but other text left exactly as it was, complete with typoes: > > *Thursday 19th: (Aug 2018)* > > *9:30am* OAUTH > <https://datatracker.ietf.org/meeting/102/materials/agenda-102-oauth-03>: > Fecking OAUTH as they say. I came out of this saying "they can't even > agree about what they don't agree on". <Name redacted> says it was even > worse in the past. What a fustercluck. Don't expect anything workwhile > out of this group unfortunately. <Other name redacted> and I were just > looking at each other like WTF the entire time. > > > Maybe it's become heaps better since then. But I wouldn't want to have > been a new participant trying to get anything done in that session. > > ... > > The authentication flow as originally put into JMAP (before it came to the > IETF) can be seen in the initial draft here if you're interested: > > https://www.ietf.org/archive/id/draft-jenkins-jmap-00.txt > > But we decided in the interests of expediency to just drop it rather than > trying to progress that work anywhere at the IETF. > > Regards, > > Bron. > > On Tue, Feb 23, 2021, at 22:00, Hannes Tschofenig wrote: > > Hi Bron, > > > > I have to respond to your statements about the OAuth working group below. > > > > While we do not pay attention to keeping the charter page up-to-date, we > have been able to advance our documents, produce many implementations, and > got those deployed all over the Internet. > > > > The bar for acceptance of new work varies among working group in the IETF. > Some working groups develop technology that got widely deployed and hence > randomly changing specs isn’t such a great idea because you have to > consider the deployment situation as well. This is a situation many IETF > working groups face. Reaching (widespread) deployment is great on one hand > and a pain on the other. > > > > There are other groups, which are early in their lifecycle. In those > groups you do not need to worry about deployments, backwards compatibility > or even any source code. > > > > In general, Rifaat and I are always open for anyone in the IETF (and > outside) to reach out to us, if they want to bring new work forward to the > group. Sometimes proposed work fits into the group and sometimes it does > not. The work on JOSE, for example, was put into a separate working group > even though it was initially developed for use with JSON Web Tokens. > > > > I don’t recall having chatted with you or with someone from the JMAP > community on the use of OAuth. Sorry if my memory does not serve me well > today. Typically, applications just use OAuth and therefore there is no > need to reach out to the OAuth working group. > > > > Ciao > > Hannes > > > > *From:* ietf <ietf-boun...@ietf.org> *On Behalf Of * Bron Gondwana > *Sent:* Tuesday, February 23, 2021 5:20 AM > *To:* i...@ietf.org > *Subject:* Re: Diversity and Inclusiveness in the IETF > > > > Thanks Fernando, > > > > I would add to this document something about inertia, backwards > compatibility and existing dysfunction. > > > > Many ideas are shut down because they aren't in the right place, or don't > fit comfortably into the existing corpus of IETF documents. > > > > When we brought JMAP to the IETF it was after a long process of > socialisation, and still there was significant work in the first couple of > meetings just to convince people that "this is worth doing, the existing > work the IETF has done in this neighborhood is not sufficient". > > > > JMAP also had an authentication scheme in it originally. It was a good > authentication scheme, but applications don't do authentication schemes, > that's the bailiwick of OAUTH, where ideas go to die (in my experience, > that working group has been dysfunctional for my entire time at IETF - > exhibit 'A' being the "Milestones" section of the about page, which lists 6 > items all due in 2017) > > > > So we just removed all mention of authentication method and handwaved "the > connection will be authenticated", because we wanted to publish something > during the decade with years starting '201'. > > > > ... all that to say. One of the biggest barriers to entry in the IETF is > stumbling across an area in which no work is able to progress due to > entrenched issues within that area. > > > > And I'm not arguing for "no barriers to entry", because there needs to be > a sanity check that we're actually producing high quality specifications, > and that our specifications are compatible with each other so the entirety > of the IETF's work product is a coherent whole. But it's hard to get > started if you don't already have the connections to have your work > sponsored by somebody who already knows their way around the IETF's > idiosyncrasies. I'm doing some of that sponsoring myself now for the > people from tc39 who are trying to get the IETF to look at defining an > extended datetime format. > > > > Cheers, > > > > Bron. > > > > On Tue, Feb 23, 2021, at 11:07, Fernando Gont wrote: > > Folks, > > > > We have submitted a new I-D, entitled "Diversity and Inclusiveness in > > the IETF". > > > > The I-D is available at: > > https://www.ietf.org/archive/id/draft-gont-diversity-analysis-00.txt > > > > We expect that our document be discussed in the gendispatch wg > > (https://datatracker.ietf.org/wg/gendispatch/about/). But given the > > breadth of the topic and possible views, we'll be glad to discuss it > > where necessary/applicable/desired. > > > > As explicitly noted in our I-D, we're probably only scratching the > > surface here -- but we believe that our document is probably a good > > start to discuss many aspects of diversity that deserve discussion. > > > > Thanks! > > > > Regards, > > -- > > Fernando Gont > > SI6 Networks > > e-mail: fg...@si6networks.com > > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > > > > > > > > > > -- > > Bron Gondwana, CEO, Fastmail Pty Ltd > > br...@fastmailteam.com > > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > > -- > Bron Gondwana, CEO, Fastmail Pty Ltd > br...@fastmailteam.com > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
