Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Ned Freed <ned.freed@mrochek.com> Fri, 13 April 2012 22:29 UTC

Message-id: <01OE9WNJ8DMG00ZUIL@mauve.mrochek.com>
Date: Fri, 13 Apr 2012 15:23:21 -0700
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Fri, 13 Apr 2012 15:53:46 -0400" <A48957229B96D30415E2683A@PST.JCK.COM>
MIME-version: 1.0
Content-type: TEXT/PLAIN
References: <A48957229B96D30415E2683A@PST.JCK.COM>
To: John C Klensin <john-ietf@jck.com>
Cc: Pete Resnick <presnick@qualcomm.com>, Mark Nottingham <mnot@mnot.net>, Ned Freed <ned.freed@mrochek.com>, draft-ietf-oauth-v2-bearer.all@tools.ietf.org, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Precedence: list

> Agreeing that the horse has left the barn and is far down the
> street, the IETF is still being asked to publish this and
> publish it with some level of authority that we call "IETF
> Consensus" and/or "Standard".

> Recommendation:

> (1) For reasons explained in my earlier note, prune this down to
> one recommended/standardized method, not three.

> (2) For any other methods, document them as existing practice
> (and consequently alternatives) and _at least_ discuss the
> reasons for and against using them.

> (3) If the recommendation is to use a reserved query parameter
> keyword, seriously consider making that keyword something like
> "oauth_access_token" but noting that "access_token" is in use as
> a synonym and that, while we discourage it, servers SHOULD
> normally treat it as a synonym.  I disagree with Ned to the
> extent that, as a firm believer in Murphy's Law and the general
> perversity of the universe, I would have said "reduce", rather
> than "remove", the possibility of conflict, but even "reduce"
> would be A Good Thing.

> (4) The document should explain the risks associated with
> someone using "?access_token"  to mean something else entirely
> and of parsing, hashing, or encoding URL tails in ways that
> effectively disable the intent of the spec.

> I think that represents a reasonable balance with reality and
> existing practice while avoiding IETF endorsement of practices
> we have ample reason to believe are undesirable and should not
> be encouraged or endorsed.

> An alternative would be to not standardize this at all but
> simply publish a slightly-revised version of the document as an
> Informational description of existing practice, noting W3C
> endorsement to whatever degree that is appropriate.  I actually
> don't think that is a particularly good idea, but it would be
> another way out.

Agreed on all points. I'm also not wild on the alternative, but as you
say, it would be acceptable.

				Ned

[apps-discuss] Reserved URI query parameter in dr… Pete Resnick
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Julian Reschke
Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
Re: [apps-discuss] Reserved URI query parameter i… Carsten Bormann
Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
Re: [apps-discuss] Reserved URI query parameter i… Derek Atkins
Re: [apps-discuss] Reserved URI query parameter i… William Mills
Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
Re: [apps-discuss] Reserved URI query parameter i… William Mills
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… William Mills
Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt