Hi Bron, Let me also tell you a personal story. I was in the army in Austria and a commander of a small group. Everyone on the base knew about a pub in the city that was extremely dangerous and, according to stories, you would most likely get stabbed there. I was wondering about that place and went there. Guess what: I was there alone with the waitress. Everyone was too afraid to go there.
Maybe there is a lesson here. Just give it a try*. Getting back to the OAuth group: Groups typically go through cycles. At the beginning when participants do not know each other the discussions are often rough. When there is not much content (typically during a requirements gathering phase) everyone has an opinion to share. As time goes on, the situation improves and everyone gets to know each other better, hangs around after the official WG meetings and meets at non-IETF events. That’s where it gets more civilized. We went through those stages as well. Groups that work on exciting technologies also attract “rock stars” (as I call them). We had those in the OAuth group as well. It caused a lot of stress for the entire group but also for us chairs. When you have several people who do not accept a proposal different than their own then it gets tricky. Unfortunately, chairs don’t have much to say in the IETF either. I believe it helped us to get together in workshops (we organized a series of OAuth workshops), met at industry events (the Internet Identity Workshop, etc.) and scheduled regular “virtual office hours”. Of course, we still have disagreements and it would be a lie to say that all our meetings have been productive. Productivity has, however, been increased. The meetings were certainly passionate. On the other hand, I have been in working group meetings where there was no passion, no discussion and no productivity. Not great either. I don’t know whether it is already too late for your document (which is dated 2016) to consider the use of OAuth but Rifaat and I are happy to put you on the spot in one of our future virtual office hours or virtual interim meetings. Ciao Hannes PS: This is not a general life advice. There are many things you better skip... From: Bron Gondwana <br...@fastmailteam.com> Sent: Tuesday, February 23, 2021 12:51 PM To: Hannes Tschofenig <hannes.tschofe...@arm.com>; i...@ietf.org Cc: oauth@ietf.org Subject: Re: Diversity and Inclusiveness in the IETF Without wishing to litigate the entire issue here (happy to remove the wider IETF list and just talk on the OAuth group), we never brought any work to the OAuth group because everybody who we spoke to warned us that nothing would get done. There's a term "missing stair" https://en.wikipedia.org/wiki/Missing_stair which describes this phenomenon, where "everybody knows" something, but new participants are forced to discover it through either having someone tell them quietly, or just notice it for themselves. ... Just as an anecdote, the last time I bothered to attend an OAuth meeting in person I had this to say about it on our internal slack channel when asked:"they can't agree about what they don't agree on". The topic that had taken basically the entire meeting and had been totally unproductive - was a particular key in a JSON Web Token going to clash with a reserved word in either javascript itself or one of the other environments in which this token had to be evaluated. There were people saying "this won't work, just rename the key" and others saying "I like this name and insist upon us keeping it". No progress was made that day. In fact, here's the extract of my report on the OAuth meeting at IETF102 (a detailed long email with pictures of poutine, icecream, and a report on every session I attended). Names extracted to protect the others involved, but other text left exactly as it was, complete with typoes: Thursday 19th: (Aug 2018) 9:30am OAUTH<https://datatracker.ietf.org/meeting/102/materials/agenda-102-oauth-03>: Fecking OAUTH as they say. I came out of this saying "they can't even agree about what they don't agree on". <Name redacted> says it was even worse in the past. What a fustercluck. Don't expect anything workwhile out of this group unfortunately. <Other name redacted> and I were just looking at each other like WTF the entire time. Maybe it's become heaps better since then. But I wouldn't want to have been a new participant trying to get anything done in that session. ... The authentication flow as originally put into JMAP (before it came to the IETF) can be seen in the initial draft here if you're interested: https://www.ietf.org/archive/id/draft-jenkins-jmap-00.txt But we decided in the interests of expediency to just drop it rather than trying to progress that work anywhere at the IETF. Regards, Bron. On Tue, Feb 23, 2021, at 22:00, Hannes Tschofenig wrote: Hi Bron, I have to respond to your statements about the OAuth working group below. While we do not pay attention to keeping the charter page up-to-date, we have been able to advance our documents, produce many implementations, and got those deployed all over the Internet. The bar for acceptance of new work varies among working group in the IETF. Some working groups develop technology that got widely deployed and hence randomly changing specs isn’t such a great idea because you have to consider the deployment situation as well. This is a situation many IETF working groups face. Reaching (widespread) deployment is great on one hand and a pain on the other. There are other groups, which are early in their lifecycle. In those groups you do not need to worry about deployments, backwards compatibility or even any source code. In general, Rifaat and I are always open for anyone in the IETF (and outside) to reach out to us, if they want to bring new work forward to the group. Sometimes proposed work fits into the group and sometimes it does not. The work on JOSE, for example, was put into a separate working group even though it was initially developed for use with JSON Web Tokens. I don’t recall having chatted with you or with someone from the JMAP community on the use of OAuth. Sorry if my memory does not serve me well today. Typically, applications just use OAuth and therefore there is no need to reach out to the OAuth working group. Ciao Hannes From: ietf <ietf-boun...@ietf.org<mailto:ietf-boun...@ietf.org>> On Behalf Of Bron Gondwana Sent: Tuesday, February 23, 2021 5:20 AM To: i...@ietf.org<mailto:i...@ietf.org> Subject: Re: Diversity and Inclusiveness in the IETF Thanks Fernando, I would add to this document something about inertia, backwards compatibility and existing dysfunction. Many ideas are shut down because they aren't in the right place, or don't fit comfortably into the existing corpus of IETF documents. When we brought JMAP to the IETF it was after a long process of socialisation, and still there was significant work in the first couple of meetings just to convince people that "this is worth doing, the existing work the IETF has done in this neighborhood is not sufficient". JMAP also had an authentication scheme in it originally. It was a good authentication scheme, but applications don't do authentication schemes, that's the bailiwick of OAUTH, where ideas go to die (in my experience, that working group has been dysfunctional for my entire time at IETF - exhibit 'A' being the "Milestones" section of the about page, which lists 6 items all due in 2017) So we just removed all mention of authentication method and handwaved "the connection will be authenticated", because we wanted to publish something during the decade with years starting '201'. ... all that to say. One of the biggest barriers to entry in the IETF is stumbling across an area in which no work is able to progress due to entrenched issues within that area. And I'm not arguing for "no barriers to entry", because there needs to be a sanity check that we're actually producing high quality specifications, and that our specifications are compatible with each other so the entirety of the IETF's work product is a coherent whole. But it's hard to get started if you don't already have the connections to have your work sponsored by somebody who already knows their way around the IETF's idiosyncrasies. I'm doing some of that sponsoring myself now for the people from tc39 who are trying to get the IETF to look at defining an extended datetime format. Cheers, Bron. On Tue, Feb 23, 2021, at 11:07, Fernando Gont wrote: Folks, We have submitted a new I-D, entitled "Diversity and Inclusiveness in the IETF". The I-D is available at: https://www.ietf.org/archive/id/draft-gont-diversity-analysis-00.txt We expect that our document be discussed in the gendispatch wg (https://datatracker.ietf.org/wg/gendispatch/about/). But given the breadth of the topic and possible views, we'll be glad to discuss it where necessary/applicable/desired. As explicitly noted in our I-D, we're probably only scratching the surface here -- but we believe that our document is probably a good start to discuss many aspects of diversity that deserve discussion. Thanks! Regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com<mailto:fg...@si6networks.com> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -- Bron Gondwana, CEO, Fastmail Pty Ltd br...@fastmailteam.com<mailto:br...@fastmailteam.com> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- Bron Gondwana, CEO, Fastmail Pty Ltd br...@fastmailteam.com<mailto:br...@fastmailteam.com> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
