[OAUTH-WG] Draft structuring question to the IESG and the OAuth working group

Wed, 23 Apr 2025 13:50:50 -0700 

Dear IESG and OAuth members,

The OAuth working group is in the process of updating several drafts to address 
a security vulnerability found through formal analysis.  (See the Introduction 
to 
draft-ietf-oauth-rfc7523bis-01<https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-01.html#name-introduction>
 for a description of the vulnerability and its mitigation.)  The vulnerability 
is present in multiple OAuth drafts:  primarily RFC 7523, but also RFC 7521, 
RFC 7522, and RFC 9126.

Ben Kaduk wrote this to 
us<https://mailarchive.ietf.org/arch/msg/oauth/7qqLlRJkICK3xbzCW49KnJFBcqc/> 
about the draft:
I cannot speak for the current IESG, but previous IESG have been rather unhappy 
with documents that are effectively diffs to other RFCs ("in Section X of RFC 
Y, make this change"), most notably in 
/draft-ietf-nfsv4-mv1-msns-update<https://datatracker.ietf.org/doc/draft-ietf-nfsv4-mv1-msns-update/>
 but that was not the only example.

On an OAuth call today, we decided to explicitly ask which document structuring 
option the IESG and the working group would prefer before we do more 
substantive work to the draft.  The options seem to be:

  1.  A draft describing deltas to all the affected RFCs.  That's the structure 
of 
draft-ietf-oauth-rfc7523bis-01<https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-01.html>.
  2.  A bis draft replacing RFC 7523 and also describing deltas to the other 
affected RFCs.  That's the structure of 
draft-ietf-oauth-rfc7523bis-00<https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-00.html>.
  3.  Separate bis drafts for each affected RFC.  -00 without Sections 9-12 is 
effectively an example of that for RFC 7523.

As background, the originally adopted -00 document took approach 2.  At IETF 
122, the participants expressed a preference for option 1, hence that approach 
being taken in -01.

Particularly for IESG members, would you object if we continued in the 
direction of approach 1, as embodied in the -01 draft?  If you would object, 
what would you suggest?

                                                                Thanks all,
                                                                -- Mike


_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to