On 4/15/10 12:04 AM, "Evan Gilbert" <[email protected]> wrote:
> - What does it mean to have successive drafts? And if we move an issue to the
> next draft, what does that practically mean?
> - How does the bill become a law?
Drafts are numbered but not versioned and they are not reference-able. They
expire after 6 month of publication and cannot be used as normative
references from other specifications. So in practice the latest draft is
simply a representation of where the working group is in terms of progress.
When the WG is done, it issues a last call to see if anyone in the WG still
has open issues. You can have multiple last calls if a last calls demands
significant changes.
Once the working group is satisfied with its draft, it goes to an IETF last
call with the same process but with feedback coming from the entire
community and sent back to the WG to be worked out.
As any given time, the WG does not have to accommodate feedback but should
account for it (reply and explain why). The IETF last call includes official
review from other areas such as the security area. These reviews must be
addressed (in the same manner though).
When the document passed through both last calls, it goes to the IESG which
is the IETF governing body consisted of the area directors and the IESG
chair. The IESG votes on the draft to approve or discuss it. There is no
'No' vote in the IESG (you need 10 yes/abstain votes and no requests to
discuss the draft for approval).
IESG discussion can take a while until all the area directors are satisfied.
At that point the document is done and can be referenced, but can take
months to be published as an RFC. The process doesn't end there but the vast
majority of people treat the RFC as a standard (it is actually just a
proposed standard) and ignore the rest.
> - What is the expected timing of these drafts?
Like any standards process it takes as long as it takes. OAuth 1.0 took
about a year without becoming a standard. Once the WG is done, it should
take about 3-6 months for IESG approval and another 3-6 months for RFC
publication.
BUT -
Companies can implement the drafts for beta or experimental purposes and
keep them up to date as much as possible. Once the WG draft is done,
companies can ship it with the expectation that it can still change but with
a general timeline of about 6 months to a year. The primary reason for
changes after WG LC are security requirements.
As for the WG timing, it is hard to say because we still have a long list of
open issues. The biggest reasons for WG slowness are busy editors and laid
back chairs. I don't think editorial work is going to slow the WG, but when
it comes to closing issues, we rely on the chairs to make consensus calls
and close open issues when the WG is stuck.
That said, I think the current draft is close to what OAuth 2.0 should look
like and the list of issues has remained about the same for the past month.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
