Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)

Bayard Bell <Bayard.Bell@twosigma.com> Tue, 27 August 2019 21:23 UTC

Return-Path: <Bayard.Bell@twosigma.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BDCB12012E for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 14:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHjbFM-zO0ZY for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 14:23:41 -0700 (PDT)
Received: from mxo1.nje.dmz.twosigma.com (mxo1.nje.dmz.twosigma.com [208.77.214.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF2A2120113 for <oauth@ietf.org>; Tue, 27 Aug 2019 14:23:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mxo1.nje.dmz.twosigma.com (Postfix) with ESMTP id 46J2171wmxz7t9D; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at twosigma.com
Received: from mxo1.nje.dmz.twosigma.com ([127.0.0.1]) by localhost (mxo1.nje.dmz.twosigma.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azSzgLlF3HT3; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
Received: from EXMBNJE6.ad.twosigma.com (exmbnje6.ad.twosigma.com [172.20.45.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mxo1.nje.dmz.twosigma.com (Postfix) with ESMTPS id 46J21710KDz3wZ3; Tue, 27 Aug 2019 21:23:39 +0000 (GMT)
Received: from EXMBNJE10.ad.twosigma.com (172.20.2.246) by EXMBNJE6.ad.twosigma.com (172.20.45.169) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 27 Aug 2019 21:23:38 +0000
Received: from EXMBNJE11.ad.twosigma.com (172.20.2.181) by EXMBNJE10.ad.twosigma.com (172.20.2.246) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 27 Aug 2019 21:23:38 +0000
Received: from EXMBNJE11.ad.twosigma.com ([fe80::a1d5:365c:d606:f6d1]) by EXMBNJE11.ad.twosigma.com ([fe80::a1d5:365c:d606:f6d1%19]) with mapi id 15.00.1365.000; Tue, 27 Aug 2019 21:23:38 +0000
From: Bayard Bell <Bayard.Bell@twosigma.com>
To: John Bradley <ve7jtb@ve7jtb.com>, William Denniss <wdenniss@google.com>
CC: RFC Errata System <rfc-editor@rfc-editor.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>, Roman Danyliw <rdd@cert.org>, "rfc8252@ve7jtb.com" <rfc8252@ve7jtb.com>, "rfc8252@wdenniss.com" <rfc8252@wdenniss.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
Thread-Index: AQHVXEEnHPgiallIu0ydb6QIPYRKdqcN5iSAgADsLACAAK/8AA==
Date: Tue, 27 Aug 2019 21:23:38 +0000
Message-ID: <7a4d4121f5cf4979bee6ad157323c893@EXMBNJE11.ad.twosigma.com>
References: <20190826190427.A7DADB80BB9@rfc-editor.org> <CAAP42hAgNm=E1f6DU7pUH23NAoLW9=4CEKWTT7wgk3PY_5s33Q@mail.gmail.com> <CAANoGhKTuEauUC-0f9bj8O=ewpNbN4a3NLDHLh3u45Tabt+SBA@mail.gmail.com>
In-Reply-To: <CAANoGhKTuEauUC-0f9bj8O=ewpNbN4a3NLDHLh3u45Tabt+SBA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.20.187.15]
Content-Type: multipart/alternative; boundary="_000_7a4d4121f5cf4979bee6ad157323c893EXMBNJE11adtwosigmacom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1WmETT-S5xiNJC1UcMpkfuHJM3Q>
X-Mailman-Approved-At: Tue, 27 Aug 2019 14:38:13 -0700
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 21:23:44 -0000

Alternatively if the appendix were as of a point in time but the github references were maintained, the warning that the RFC is a point-in-time while the github references will remain current lets you defer authoring an updated BCP RFC until there are much larger changes in mechanics.

From: John Bradley <ve7jtb@ve7jtb.com>
Sent: Tuesday, August 27, 2019 6:52 AM
To: William Denniss <wdenniss@google.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>; Hannes Tschofenig <hannes.tschofenig@gmx.net>; Bayard Bell <Bayard.Bell@twosigma.com>; Benjamin Kaduk <kaduk@mit.edu>; oauth <oauth@ietf.org>; Roman Danyliw <rdd@cert.org>; rfc8252@ve7jtb.com; rfc8252@wdenniss.com; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)

This is not really an eratta.  Asome point we need to update the BCP with a updated RFC.   Perhaps the time is now to start a new draft that can capture the changes in iOS, OSX and others.

John B.

On Mon, Aug 26, 2019, 10:46 PM William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:
Process-wise I'm not sure if errata should be used to capture changing implementation details like this. We expected the implementation details that we documented in the appendix to change, and explicitly stated that assumption. "The implementation details herein are considered accurate at the time of publishing but will likely change over time.".

If updating those implementation details were in scope, then the proposed text should needs to be revised before being accepted due to some inaccuracies (e.g. SFSafariViewController is not a successor to ASWebAuthenticationSession).

Best,
William

On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> wrote:
The following errata report has been submitted for RFC8252,
"OAuth 2.0 for Native Apps".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5848

--------------------------------------
Type: Technical
Reported by: Bayard Bell <bayard.bell@twosigma.com<mailto:bayard.bell@twosigma.com>>

Section: Appendix B.1

Original Text
-------------
Apps can initiate an authorization request in the browser, without
the user leaving the app, through the "SFSafariViewController" class
or its successor "SFAuthenticationSession", which implement the in-
app browser tab pattern.  Safari can be used to handle requests on
old versions of iOS without in-app browser tab functionality.

Corrected Text
--------------
Apps can initiate an authorization request in the browser, without
the user leaving the app, through the "ASWebAuthenticationSession"
class or its successors "SFAuthenticationSession" and
"SFSafariViewController", which implement the in-app browser tab
pattern.  The first of these allows calls to a handler registered
for the AS URL, consistent with Section 7.2. The latter two classes,
now deprecated, can use Safari to handle requests on old versions of
iOS without in-app browser tab functionality.

Notes
-----
SFAuthenticationSession documentation reflects deprecated status:

https://developer.apple.com/documentation/safariservices/sfauthenticationsession

Here's the documentation for ASWebAuthenticationSession:

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8252 (draft-ietf-oauth-native-apps-12)
--------------------------------------
Title               : OAuth 2.0 for Native Apps
Publication Date    : October 2017
Author(s)           : W. Denniss, J. Bradley
Category            : BEST CURRENT PRACTICE
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth