Hi Murray,
The IANA registration procedure language was updated in
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-12.html as
discussed on today's IESG telechat and per Deb's suggestions to me. It now
says:
"The IANA escalation process is followed when the Designated Experts are not
responsive within 14 days."
I also acknowledged the additional reviewers.
Thanks all for your useful feedback on the draft!
-- Mike
P.S. I look forward to participating in the proposed working group on IANA
procedures. Is there a draft charter I can review?
-----Original Message-----
From: Michael Jones
Sent: Wednesday, October 2, 2024 11:01 PM
To: Murray Kucherawy <superu...@gmail.com>; The IESG <i...@ietf.org>
Cc: draft-ietf-oauth-resource-metad...@ietf.org; oauth-cha...@ietf.org;
oauth@ietf.org; rifaat.s.i...@gmail.com
Subject: RE: Murray Kucherawy's Discuss on
draft-ietf-oauth-resource-metadata-11: (with DISCUSS and COMMENT)
Hi Murray. Thanks for taking the time to review the draft. My responses are
inline below, prefixed by "Mike>".
-----Original Message-----
From: Murray Kucherawy via Datatracker <nore...@ietf.org>
Sent: Wednesday, October 2, 2024 10:13 PM
To: The IESG <i...@ietf.org>
Cc: draft-ietf-oauth-resource-metad...@ietf.org; oauth-cha...@ietf.org;
oauth@ietf.org; rifaat.s.i...@gmail.com
Subject: Murray Kucherawy's Discuss on draft-ietf-oauth-resource-metadata-11:
(with DISCUSS and COMMENT)
Murray Kucherawy has entered the following ballot position for
draft-ietf-oauth-resource-metadata-11: Discuss
When responding, please keep the subject line intact and reply to all email
addresses included in the To and CC lines. (Feel free to cut this introductory
paragraph, however.)
Please refer to
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
I concur strongly enough with John Scudder's comment about the IANA registry
that I'd like to discuss it. Moreover, Section 4 of BCP 26 says:
[...] Newly minted policies,
including ones that combine the elements of procedures associated
with these terms in novel ways, may be used if none of these policies
are suitable; it will help the review process if an explanation is
included as to why that is the case.
Is that explanation available anywhere? I think John's right, this is a
peculiar loophole, and it would be helpful to know why the WG thinks this is
necessary. There's already a debate in progress about whether an I-D (which
expires) is viable in a Specification Required registry, and we're about to
charter a WG to revise BCP 26, so this is actually quite topical.
Mike> The explanation for the OAuth registration language is that we want to
give authors of specifications proposing to register OAuth parameters the
benefit of review by designated experts *before* the spec is completely done,
so that if problems are found, they can iterate and fix them before making
their specifications final. I've been in many situations, both as the party
registering and as the Designated Expert, where this pre-final review was
priceless and resulted in improvements in the specification. I'd be open to
different (possibly more standard) language that still achieves this
possibility.
Mike> For what it's worth, remember too that this language was written before
RFC 8126 was. If there's a more modern equivalent you can suggest, I'm all for
it.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
On the flipside, I appreciate that so much good guidance was given to the
Designated Experts and even to us on how we should go about selecting them. It
would be helpful if candidates could be nominated (if that hasn't already
happened) for approval by the IESG.
Mike> Deb and I have discussed some possible good candidates.
As rendered on the datatracker's HTML page, the numerous initial entries in
Section 8.1.2 are all run together. Could we get them separated?
Mike> The rendering at
Mike> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata
Mike> -11.html#name-initial-registry-contents has extra vertical space
Mike> between the entries. The rendering at
Mike> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata
Mike> -11.txt also has a blank line between the entries. What rendering
Mike> are you viewing? (I can work with the RFC Editor to make sure the
Mike> visuals are good if I know where the problem rendering is.)
In Section 2, why is "resource_name" only RECOMMENDED?
Mike> Neither of the other OAuth metadata specs require a human-readable name.
"client_name" is RECOMMENDED at
https://www.rfc-editor.org/rfc/rfc7591.html#section-2. "service_documentation"
is OPTIONAL at https://www.rfc-editor.org/rfc/rfc8414.html#section-2.
Consistency led me to the same treatment here. Also, remember that the
metadata is primarily for machine consumption - not human consumption.
In Section 2.1, second paragraph, the RECOMMENDED and SHOULD seem bare to me.
Why would we allow anything other than what's specified, especially since BCP
47 prescribes a particular behavior?
Mike> This is exactly the same language as used for OAuth Client metadata at
https://www.rfc-editor.org/rfc/rfc7591.html#section-2.2. Since this spec is
entering the same OAuth ecosystem, I'm reluctant to make it different in any
way.
Mike> I look forward to hearing back from you, particularly about the IANA
registration goals and language.
Best wishes,
-- Mike
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
