IETF Logo Mail Archive

[apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Pete Resnick <presnick@qualcomm.com> Thu, 12 April 2012 05:40 UTC

Return-Path: <presnick@qualcomm.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493C221F85B4 for <apps-discuss@ietfa.amsl.com>; Wed, 11 Apr 2012 22:40:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.581
X-Spam-Level:
X-Spam-Status: No, score=-106.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuzqrLjwyRF4 for <apps-discuss@ietfa.amsl.com>; Wed, 11 Apr 2012 22:40:45 -0700 (PDT)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by ietfa.amsl.com (Postfix) with ESMTP id 5804221F85B1 for <apps-discuss@ietf.org>; Wed, 11 Apr 2012 22:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=presnick@qualcomm.com; q=dns/txt; s=qcdkim; t=1334209245; x=1365745245; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding:x-originating-ip; z=Message-ID:=20<4F866AC0.3000603@qualcomm.com>|Date:=20Th u,=2012=20Apr=202012=2000:40:16=20-0500|From:=20Pete=20Re snick=20<presnick@qualcomm.com>|User-Agent:=20Mozilla/5.0 =20(Macintosh=3B=20U=3B=20Intel=20Mac=20OS=20X=2010.6=3B =20en-US=3B=20rv:1.9.1.9)=20Gecko/20100630=20Eudora/3.0.4 |MIME-Version:=201.0|To:=20Apps=20Discuss=20<apps-discuss @ietf.org>,=0D=0A=09<draft-ietf-oauth-v2-bearer.all@tools .ietf.org>|Subject:=20Reserved=20URI=20query=20parameter =20in=20draft-ietf-oauth-v2-bearer|Content-Type:=20text/p lain=3B=20charset=3D"ISO-8859-1"=3B=20format=3Dflowed |Content-Transfer-Encoding:=207bit|X-Originating-IP:=20[1 72.30.48.1]; bh=xFq+81AAClSaUJqsFDsI8sW2cDZdFGPhqnTDKTOM3eA=; b=r/PY6JjEg9/Yt5Jriqo+zVjtqK3URPMn+3WXBblVpHhZlxzyZuA3kAgy kOhPsP16t8eIpROt2cSJL8V4L8Upg5e213ltz95T14b/ojDIuvGHgjWaq el6UXZkzgYDCErhVS5ttLK/w68WumFDNL4PvUvQY0hC/uTIqOjKS/rRZX g=;
X-IronPort-AV: E=McAfee;i="5400,1158,6677"; a="180932466"
Received: from ironmsg04-l.qualcomm.com ([172.30.48.19]) by wolverine01.qualcomm.com with ESMTP; 11 Apr 2012 22:40:44 -0700
X-IronPort-AV: E=Sophos;i="4.75,409,1330934400"; d="scan'208";a="195552509"
Received: from nasanexhc04.na.qualcomm.com ([172.30.48.17]) by Ironmsg04-L.qualcomm.com with ESMTP/TLS/AES128-SHA; 11 Apr 2012 22:40:24 -0700
Received: from resnick2.qualcomm.com (172.30.48.1) by qcmail1.qualcomm.com (172.30.48.17) with Microsoft SMTP Server (TLS) id 14.2.283.3; Wed, 11 Apr 2012 22:40:18 -0700
Message-ID: <4F866AC0.3000603@qualcomm.com>
Date: Thu, 12 Apr 2012 00:40:16 -0500
From: Pete Resnick <presnick@qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: Apps Discuss <apps-discuss@ietf.org>, draft-ietf-oauth-v2-bearer.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.30.48.1]
Subject: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 05:40:46 -0000

Folks,

Mark mentioned to me that he did not think one major issue in his review 
of this document was fully addressed. I would like to get some feedback 
from other folks here on the Apps-discuss list as I cannot say myself 
that I fully understand the implications of the issue.

Mike Jones <Michael.Jones@microsoft.com> wrote:

> Mark Nottingham <mnot@mnot.net> wrote:
>
>> * Section 2.3 URI Query Parameter
>>
>> This section effectively reserves a URI query parameter for the 
>> draft's use. This should not be done lightly, since this would be a 
>> precedent for the IETF encroaching upon a server's URIs (done 
>> previously in RFC5785, but in a much more limited fashion, as a 
>> tactic to prevent further, uncontrolled encroachment).
>>
>> Given that the draft already discourages the use of this mechanism, 
>> I'd recommend dropping it altogether. If the Working Group wishes it 
>> to remain, this issues should be vetted both through the APPS area 
>> and the W3C liaison.
>>
>> (The same criticism could be leveled at Section 2.2 Form-Encoded Body 
>> Parameter, but that at least isn't surfaced in an identifier)
>
> There are some contexts, especially limited browsers and/or 
> development environments, where query parameters are usable but the 
> other methods are not.  Thus, the query parameter method must be 
> retained.  Also, Justin Richter's comments describing the value to him 
> of the query parameter method are pertinent:  A URL with all 
> parameters including authorization is a powerful artifact which can be 
> passed around between systems as a unit.
>
> As to using a standard parameter name, this is essential for 
> interoperability.  It is not reserved in any contexts other than when 
> the Bearer spec is employed, which is a voluntary act by both 
> parties.  Thus, this poses no undue burdens or namespace restrictions 
> on implementations in practice.
>
> Finally, you'll find that OAuth 1.0 [RFC 5849] similarly defined, not 
> one, but two standard query parameter values:  oauth_token and 
> oauth_verifier.  As this didn't cause any problems in practice then, 
> I'm sure that defining an access_token parameter within the Bearer 
> spec for interoperability purposes won't cause a problem either.

Would anyone (including, but not limited to, Mark) be able to better 
explain the issue here?

Thanks,

pr

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102

v2.23.0 | Report a Bug | By Email