IETF Logo Mail Archive

Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 15 April 2012 20:49 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6618421F8859 for <apps-discuss@ietfa.amsl.com>; Sun, 15 Apr 2012 13:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LD9PJA1qTyws for <apps-discuss@ietfa.amsl.com>; Sun, 15 Apr 2012 13:49:56 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id A4EB721F8858 for <apps-discuss@ietf.org>; Sun, 15 Apr 2012 13:49:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 17022171479; Sun, 15 Apr 2012 21:49:55 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1334522994; bh=Oezf848K2fKVIc 4SnUqExVtBLF1B9odSM7NhbL5sZQQ=; b=WUIS5rL0ZG8toJjkLPPf6zf81FsZEX nNsxPaC8eTLcHs6LM1F3HxsG0E3cq8blCUU88moZkLDjhMPnsY+lttP69z4CkCO0 xhxmNPRbITgkRS8/dUEd8R8kw/o7R21Ra2RNJo6jMFs+jnq5zWl0T4wyW8mnXdWa ttlkwaI50sj9i1gkLoNI3nUJTAdzkYtG70dr6m+iU1AzhQxgIMVUfw2PPMoQRdye XWZatgm0Ryvvr0KeLokFmgcJ7Tvw5eK0NWB7xYwNdUoxYYI8mAxr6zxL/PMkEyv4 fx47+20wPkkX4LP5oVjBci0uHS5DJPBo0SwDs2o20wiseRBP2DChawuA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id k2LWdvYd0xRN; Sun, 15 Apr 2012 21:49:54 +0100 (IST)
Received: from [10.87.48.3] (unknown [86.46.25.149]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 58B28171478; Sun, 15 Apr 2012 21:49:51 +0100 (IST)
Message-ID: <4F8B346E.5040300@cs.tcd.ie>
Date: Sun, 15 Apr 2012 21:49:50 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Eran Hammer <eran@hueniverse.com>
References: <4F866AC0.3000603@qualcomm.com> <01OE8FW1U53G00ZUIL@mauve.mrochek.com> <82462DAA-5118-4108-AA5C-FBEBBC563D4E@mnot.net> <01OE921YMRSW00ZUIL@mauve.mrochek.com> <4F8898A9.8020806@cs.tcd.ie> <22B64109-DAFD-4F2A-B1DA-5950E732882A@mnot.net> <4F88AA3A.8040401@cs.tcd.ie> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE83A2@P3PWEX2MB008.ex2.secureserver.net>
In-Reply-To: <0CBAEB56DDB3A140BA8E8C124C04ECA2FE83A2@P3PWEX2MB008.ex2.secureserver.net>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Pete Resnick <presnick@qualcomm.com>, Mark Nottingham <mnot@mnot.net>, Ned Freed <ned.freed@mrochek.com>, Apps Discuss <apps-discuss@ietf.org>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Apr 2012 20:49:59 -0000

Hi Eran,

On 04/15/2012 07:31 AM, Eran Hammer wrote:
> 
> 
>> -----Original Message-----
>> From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-
>> bounces@ietf.org] On Behalf Of Stephen Farrell
>> Sent: Friday, April 13, 2012 3:36 PM
>> To: Mark Nottingham
>> Cc: Pete Resnick; Ned Freed; draft-ietf-oauth-v2-bearer.all@tools.ietf.org;
>> Apps Discuss
>> Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-
>> oauth-v2-bearer
>>
>>
>>
>> On 04/13/2012 10:24 PM, Mark Nottingham wrote:
>>> Because it's a name space that is managed and owned by the authority of
>> the URI, not any standards organisation.
>>>
>>> I.e. we tell them how the URI is structured, not what to put into it.
>>>
>>> We made *one* exception for this in .well-known as an escape valve for
>> abuse. If we continue allowing this kind of abuse, we'll have little defence
>> against things like standardising filename extensions in URLs and reserving an
>> "/about/" URI's semantics -- things which are clearly violating the architecture
>> of the WWW:
>>>  http://www.w3.org/TR/webarch/#uri-opacity
>>
>> (Sticking with the naivety:-) So, what's different there from how the base
>> oauth draft registers client_id and shows how that can be used in a GET
>> request? [1]
> 
> Big difference. The base draft specifies its own endpoints as part of a complete API package for obtaining authorization. These parameters are scoped only for the endpoints defined and not for any others. There is no possibility of conflict because the specification defines the entire namespace.

I guess that might be a big difference, not sure. Where is that
aspect (a complete API package) described in the oauth base spec
or elsewhere?

I also don't recall mention of API packages in the other responses
on this thread, so I'm not sure if that's a wide-spread opinion
or if there's disagreement about it.

> OTOH, the bearer spec is applied to *any* web resources using OAuth authentication where some other namespace definition must exist.

Seems like a fair point. But like I said above, I'm unsure if
that's just a matter of degree or not. (Maybe the base spec is
"a little bit pregnant" in this respect? ;-)

S

> EH
>  
>> Ta,
>> S.
>>
>> [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-25#page-24
>>     (bottom of page)
>>
>>
>>>
>>> Cheers,
>>>
>>>
>>> On 13/04/2012, at 4:20 PM, Stephen Farrell wrote:
>>>
>>>>
>>>>
>>>> On 04/13/2012 08:43 AM, Ned Freed wrote:
>>>>> I certainly don't object to doing that. In fact I don't object to
>>>>> dropping this nasty hack from the document, although perhaps
>>>>> documenting it as *not* standardized and explaining why it sucks would
>> be even better.
>>>>
>>>> So I've a possibly naive question:
>>>>
>>>> Why is it harmful to standardise a parameter name for use in query
>>>> strings?
>>>>
>>>> Note: I'm not asking if access_token is a good or bad name for one of
>>>> those, nor how exactly to standardise one well or badly, nor who
>>>> should do that, but it seems from the comments here that some folks
>>>> are against the idea of standardising anything after the authority is
>>>> a bad idea, and I don't get why exactly that might be the case.
>>>>
>>>> Thanks,
>>>> S.
>>>>
>>>
>>> --
>>> Mark Nottingham
>>> http://www.mnot.net/
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> apps-discuss mailing list
>> apps-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/apps-discuss
>

v2.23.0 | Report a Bug | By Email