IETF Logo Mail Archive

Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

John C Klensin <john-ietf@jck.com> Fri, 13 April 2012 23:41 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C53011E813A for <apps-discuss@ietfa.amsl.com>; Fri, 13 Apr 2012 16:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.162
X-Spam-Level:
X-Spam-Status: No, score=-102.162 tagged_above=-999 required=5 tests=[AWL=-0.163, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ehn-l67cpVO4 for <apps-discuss@ietfa.amsl.com>; Fri, 13 Apr 2012 16:41:42 -0700 (PDT)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) by ietfa.amsl.com (Postfix) with ESMTP id 2673511E8138 for <apps-discuss@ietf.org>; Fri, 13 Apr 2012 16:41:41 -0700 (PDT)
Received: from [198.252.137.7] (helo=PST.JCK.COM) by bsa2.jck.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1SIq2E-000GR4-3T; Fri, 13 Apr 2012 19:36:10 -0400
Date: Fri, 13 Apr 2012 19:41:25 -0400
From: John C Klensin <john-ietf@jck.com>
To: Carsten Bormann <cabo@tzi.org>, Tim Bray <tbray@textuality.com>
Message-ID: <727EF992755CC4973CC63C45@PST.JCK.COM>
In-Reply-To: <EA3F224E-B219-4753-8D6D-27A1BDDF97FB@tzi.org>
References: <4F866AC0.3000603@qualcomm.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE2816@P3PWEX2MB008.ex2.secureserver.net> <CAHBU6iuR+2CfPsPdkjMJCSmzrX1B8_nLB=xp_NRZi7db78V8vw@mail.gmail.com> <EA3F224E-B219-4753-8D6D-27A1BDDF97FB@tzi.org>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Pete Resnick <presnick@qualcomm.com>, draft-ietf-oauth-v2-bearer.all@tools.ietf.org, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 23:41:42 -0000

--On Saturday, April 14, 2012 01:11 +0200 Carsten Bormann
<cabo@tzi.org> wrote:

> On Apr 12, 2012, at 18:34, Tim Bray wrote:
> 
>> Well, it would claim it as a reserved paramater name if there
>> a way to do such a thing, which there explicitly isn't in
>> RFC3986.  URIs are for most application purposes opaque
>> strings; this breaks that and is a hideous architectural
>> botch.
> 
> I would like to turn this observation around.
> 
> People put stuff like this into the URI because there are
> applications where it would be useful to combine information
> such as what we'd prefer to put into HTTP header fields with
> URI information into one *thing*. (Or they put stuff into
> Cookies because this URI munching doesn't always work very
> well either.)
> 
> Independent from the specific subject here (where there is
> little point in further invention), I think it would be useful
> to explore a little more the reasons for this and maybe find a
> better way to carry around information that is ancillary to a
> resource access.  The recent http+aes brouhaha is another
> (somewhat different, as it is client-side only) example for
> this need, I think.  (The way mailto: has evolved is an
> example where this need could be met within the URI scheme.)

Carsten,

Just a quick personal opinion, related to your more general
comment above but almost unrelated to the specific OAUTH
parameter.

We (that is IETF and W3C) made a decision (a very long time ago
as these things go) to not establish an explicit terminator for
the end of a URI tail.  If we had such a terminator, we would
now have a place, post-terminator, for putting "stuff" that is
important but that would not foul up comparison of URIs.  If we
were smart about it, we might even establish a keyword registry
for things hung off  the end, thereby eliminating one of the
other problems that people are concerned about.

I don't know if it would be possible to revisit that decision at
this point.  Certainly it would be painful if it were even
possible.  But it seems to me that it, or something like it (an
equally difficult possibility might be to figure out a way to
hide qualifying information in the vicinity of the Method field)
are, I think, the only ways that one can both insert information
that is relevant to aspects of URIs generally without
compromising either the ability to compare them of the
assumption that anything that falls into the tail belongs to the
target server and gets interpreted pretty much as it desires.

regards,
    john

v2.23.0 | Report a Bug | By Email