Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
Bayard Bell <Bayard.Bell@twosigma.com> Tue, 27 August 2019 21:23 UTC
Return-Path: <Bayard.Bell@twosigma.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDCB12012E for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 14:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHjbFM-zO0ZY for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 14:23:41 -0700 (PDT)
Received: from mxo1.nje.dmz.twosigma.com (mxo1.nje.dmz.twosigma.com [208.77.214.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2A2120113 for <oauth@ietf.org>; Tue, 27 Aug 2019 14:23:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mxo1.nje.dmz.twosigma.com (Postfix) with ESMTP id 46J2171wmxz7t9D; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at twosigma.com
Received: from mxo1.nje.dmz.twosigma.com ([127.0.0.1]) by localhost (mxo1.nje.dmz.twosigma.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azSzgLlF3HT3; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
Received: from EXMBNJE6.ad.twosigma.com (exmbnje6.ad.twosigma.com [172.20.45.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mxo1.nje.dmz.twosigma.com (Postfix) with ESMTPS id 46J21710KDz3wZ3; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
Received: from EXMBNJE10.ad.twosigma.com (172.20.2.246) by EXMBNJE6.ad.twosigma.com (172.20.45.169) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 27 Aug 2019 21:23:38 +0000
Received: from EXMBNJE11.ad.twosigma.com (172.20.2.181) by EXMBNJE10.ad.twosigma.com (172.20.2.246) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 27 Aug 2019 21:23:38 +0000
Received: from EXMBNJE11.ad.twosigma.com ([fe80::a1d5:365c:d606:f6d1]) by EXMBNJE11.ad.twosigma.com ([fe80::a1d5:365c:d606:f6d1%19]) with mapi id 15.00.1365.000; Tue, 27 Aug 2019 21:23:38 +0000
From: Bayard Bell <Bayard.Bell@twosigma.com>
To: John Bradley <ve7jtb@ve7jtb.com>, William Denniss <wdenniss@google.com>
CC: RFC Errata System <rfc-editor@rfc-editor.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>, Roman Danyliw <rdd@cert.org>, "rfc8252@ve7jtb.com" <rfc8252@ve7jtb.com>, "rfc8252@wdenniss.com" <rfc8252@wdenniss.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
Thread-Index: AQHVXEEnHPgiallIu0ydb6QIPYRKdqcN5iSAgADsLACAAK/8AA==
Date: Tue, 27 Aug 2019 21:23:38 +0000
Message-ID: <7a4d4121f5cf4979bee6ad157323c893@EXMBNJE11.ad.twosigma.com>
References: <20190826190427.A7DADB80BB9@rfc-editor.org> <CAAP42hAgNm=E1f6DU7pUH23NAoLW9=4CEKWTT7wgk3PY_5s33Q@mail.gmail.com> <CAANoGhKTuEauUC-0f9bj8O=ewpNbN4a3NLDHLh3u45Tabt+SBA@mail.gmail.com>
In-Reply-To: <CAANoGhKTuEauUC-0f9bj8O=ewpNbN4a3NLDHLh3u45Tabt+SBA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.20.187.15]
Content-Type: multipart/alternative; boundary="_000_7a4d4121f5cf4979bee6ad157323c893EXMBNJE11adtwosigmacom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1WmETT-S5xiNJC1UcMpkfuHJM3Q>
X-Mailman-Approved-At: Tue, 27 Aug 2019 14:38:13 -0700
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 21:23:44 -0000
Alternatively if the appendix were as of a point in time but the github references were maintained, the warning that the RFC is a point-in-time while the github references will remain current lets you defer authoring an updated BCP RFC until there are much larger changes in mechanics. From: John Bradley <ve7jtb@ve7jtb.com> Sent: Tuesday, August 27, 2019 6:52 AM To: William Denniss <wdenniss@google.com> Cc: RFC Errata System <rfc-editor@rfc-editor.org>; Hannes Tschofenig <hannes.tschofenig@gmx.net>; Bayard Bell <Bayard.Bell@twosigma.com>; Benjamin Kaduk <kaduk@mit.edu>; oauth <oauth@ietf.org>; Roman Danyliw <rdd@cert.org>; rfc8252@ve7jtb.com; rfc8252@wdenniss.com; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848) This is not really an eratta. Asome point we need to update the BCP with a updated RFC. Perhaps the time is now to start a new draft that can capture the changes in iOS, OSX and others. John B. On Mon, Aug 26, 2019, 10:46 PM William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote: Process-wise I'm not sure if errata should be used to capture changing implementation details like this. We expected the implementation details that we documented in the appendix to change, and explicitly stated that assumption. "The implementation details herein are considered accurate at the time of publishing but will likely change over time.". If updating those implementation details were in scope, then the proposed text should needs to be revised before being accepted due to some inaccuracies (e.g. SFSafariViewController is not a successor to ASWebAuthenticationSession). Best, William On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> wrote: The following errata report has been submitted for RFC8252, "OAuth 2.0 for Native Apps". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid5848 -------------------------------------- Type: Technical Reported by: Bayard Bell <bayard.bell@twosigma.com<mailto:bayard.bell@twosigma.com>> Section: Appendix B.1 Original Text ------------- Apps can initiate an authorization request in the browser, without the user leaving the app, through the "SFSafariViewController" class or its successor "SFAuthenticationSession", which implement the in- app browser tab pattern. Safari can be used to handle requests on old versions of iOS without in-app browser tab functionality. Corrected Text -------------- Apps can initiate an authorization request in the browser, without the user leaving the app, through the "ASWebAuthenticationSession" class or its successors "SFAuthenticationSession" and "SFSafariViewController", which implement the in-app browser tab pattern. The first of these allows calls to a handler registered for the AS URL, consistent with Section 7.2. The latter two classes, now deprecated, can use Safari to handle requests on old versions of iOS without in-app browser tab functionality. Notes ----- SFAuthenticationSession documentation reflects deprecated status: https://developer.apple.com/documentation/safariservices/sfauthenticationsession Here's the documentation for ASWebAuthenticationSession: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8252 (draft-ietf-oauth-native-apps-12) -------------------------------------- Title : OAuth 2.0 for Native Apps Publication Date : October 2017 Author(s) : W. Denniss, J. Bradley Category : BEST CURRENT PRACTICE Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] [Technical Errata Reported] RFC8252 (5… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC825… William Denniss
- Re: [OAUTH-WG] [Technical Errata Reported] RFC825… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC825… Bayard Bell