IETF Logo Mail Archive

[OAUTH-WG] Proposed resolution for issue 26

Mike Jones <Michael.Jones@microsoft.com> Fri, 23 September 2011 13:57 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C31821F8B26 for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2011 06:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.461
X-Spam-Level:
X-Spam-Status: No, score=-10.461 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5TNSyugDRZ1F for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2011 06:57:35 -0700 (PDT)
Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id E651821F8B1E for <oauth@ietf.org>; Fri, 23 Sep 2011 06:57:34 -0700 (PDT)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 23 Sep 2011 07:00:08 -0700
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.142]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.01.0339.002; Fri, 23 Sep 2011 07:00:08 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Proposed resolution for issue 26
Thread-Index: Acx5+RoYuC5sLQs0Spy/pi+T441Q9A==
Date: Fri, 23 Sep 2011 14:00:08 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435C1FC6A1TK5EX14MBXC285r_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Proposed resolution for issue 26
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2011 13:57:36 -0000

Issue #26 http://trac.tools.ietf.org/wg/oauth/trac/ticket/26 asks whether the semantics of scope strings should be changed to require that the % character be interpreted as introducing a percent-encoded character that follows.  My proposed resolution is that %-encoding not be required in the specification; therefore no textual change would be made to the specification in response to this issue.  The reasoning behind this resolution is as follows:

1.  Interpretation of scope strings already requires semantic agreement on the meaning of the scope strings between the parties participating the OAuth flow.  Should an encoding be used for scope strings in a particularly deployment context, it is reasonable for participants to have agreed upon that encoding, just as they agree on other OAuth configuration parameters.

2.  More than one encoding methodology could reasonably be employed in scope strings.  For instance, base64url encoding of scope values could be used in some contexts.  Quoting characters with '\' is another possibility.  I see no compelling reason to mandate %-encoding over other potential encoding methods.

3.  Mandating %-encoding unnecessarily complicates implementations without providing a clear compensating benefit sufficient warrant the additional complexity.  For example, it seems unnecessary to mandate that the scope strings "email" and "%65mail" MUST compare as being equal in all implementations.

4.  If an encoding methodology for scope strings is mandated, this should be done in the OAuth Core specification - not the OAuth Bearer Token specification.

5.  I am aware of no existing practice that utilizes %-encoding of scope values.

                                                                -- Mike

v2.23.0 | Report a Bug | By Email