Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Mike Jones <Michael.Jones@microsoft.com> Sat, 14 April 2012 18:13 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3C8421F8547 for <apps-discuss@ietfa.amsl.com>; Sat, 14 Apr 2012 11:13:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.659
X-Spam-Level:
X-Spam-Status: No, score=-3.659 tagged_above=-999 required=5 tests=[AWL=-0.660, BAYES_00=-2.599, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxV4tmoKvV-T for <apps-discuss@ietfa.amsl.com>; Sat, 14 Apr 2012 11:13:19 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe003.messaging.microsoft.com [213.199.154.141]) by ietfa.amsl.com (Postfix) with ESMTP id C59F521F8527 for <apps-discuss@ietf.org>; Sat, 14 Apr 2012 11:13:11 -0700 (PDT)
Received: from mail111-db3-R.bigfish.com (10.3.81.226) by DB3EHSOBE002.bigfish.com (10.3.84.22) with Microsoft SMTP Server id 14.1.225.23; Sat, 14 Apr 2012 18:13:10 +0000
Received: from mail111-db3 (localhost [127.0.0.1]) by mail111-db3-R.bigfish.com (Postfix) with ESMTP id ADB803805A0; Sat, 14 Apr 2012 18:13:10 +0000 (UTC)
X-SpamScore: -35
X-BigFish: VS-35(zz9371I542M1432N98dKzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail111-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail111-db3 (localhost.localdomain [127.0.0.1]) by mail111-db3 (MessageSwitch) id 1334427189404865_4416; Sat, 14 Apr 2012 18:13:09 +0000 (UTC)
Received: from DB3EHSMHS018.bigfish.com (unknown [10.3.81.233]) by mail111-db3.bigfish.com (Postfix) with ESMTP id 4209316004A; Sat, 14 Apr 2012 18:13:09 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS018.bigfish.com (10.3.87.118) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 14 Apr 2012 18:13:08 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.13]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0283.004; Sat, 14 Apr 2012 18:13:06 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>, Tim Bray <tbray@textuality.com>
Thread-Topic: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Thread-Index: AQHNGhgaVyxYyd5HAE+IrZgHdKFgSJaanpIg
Date: Sat, 14 Apr 2012 18:13:06 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436646DBCA@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4F866AC0.3000603@qualcomm.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE2816@P3PWEX2MB008.ex2.secureserver.net> <CAHBU6iuR+2CfPsPdkjMJCSmzrX1B8_nLB=xp_NRZi7db78V8vw@mail.gmail.com> <EA3F224E-B219-4753-8D6D-27A1BDDF97FB@tzi.org> <01OEACFVDL5O00ZUIL@mauve.mrochek.com> <E88A83EE-1212-4747-BFE4-F147B49EE088@gmail.com> <CAHBU6isCwrEVmtc4wtsOaFwWULBY8eh3x=vQkKp-_ZNmOkLKBg@mail.gmail.com> <898E78D1-DFFB-4B8B-9C75-7A2BD0D34CBE@gmail.com>
In-Reply-To: <898E78D1-DFFB-4B8B-9C75-7A2BD0D34CBE@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Pete Resnick <presnick@qualcomm.com>, Ned Freed <ned.freed@mrochek.com>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2012 18:13:20 -0000
I don't believe that URI comparison considerations are pertinent here. Here's why... These URIs contain a bearer token. As such, it would be a complete security breach for these URIs to ever become visible to any but the intended parties. Why? Per the Security Considerations section, this would allow anyone in possession of them to successfully impersonate the client and perform operations as if they were the client. (That's the nature of a bearer token.) Therefore, these URIs MUST never be visible to Web crawlers or any other third parties that might try to use URI comparison rules on them in some generic way. For security reasons, their use is scoped strictly to the client and the protected resource. Therefore, URI comparison considerations do not apply. -- Mike -----Original Message----- From: Dick Hardt [mailto:dick.hardt@gmail.com] Sent: Saturday, April 14, 2012 1:25 AM To: Tim Bray Cc: Dick Hardt; Ned Freed; Carsten Bormann; Pete Resnick; Apps Discuss; draft-ietf-oauth-v2-bearer.all@tools.ietf.org Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer Thanks Tim. I did not see any discussion on normalizing key=value pairs. One would assume that http://exmaple.com/?a=1&b=2 is equivalent to http://exmaple.com/?b=2&a=1 -- but that does not seem to be significant here. There are numerous practical reasons for the bearer token to be able to be passed as a query parameter which I would be happy to enumerate if anyone is interested. (so far no one has asked :) I'm trying to understand the desire to remove this functionality, and after reading the spec my take away is a desire to not specify a query parameter. What am I missing? -- Dick On Apr 14, 2012, at 12:58 AM, Tim Bray wrote: > That would be http://tools.ietf.org/html/rfc3986#section-6 > > The fact that it's kind of long, but still doesn't find room for > reserved ?key=val pairs, is significant in this context. -T > > On Sat, Apr 14, 2012 at 12:43 AM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >> On Apr 13, 2012, at 10:58 PM, Ned Freed wrote: >> >> >> That said, the rules are what they are, and comparison of URIs has to >> be taken into account. >> >> >> What is the URI comparison rule you are referring to? >> >> -- Dick
- [apps-discuss] Reserved URI query parameter in dr… Pete Resnick
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Julian Reschke
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Carsten Bormann
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Derek Atkins
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt