Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Mike Jones <Michael.Jones@microsoft.com> Sun, 01 January 2012 19:41 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBB6411E8080 for <oauth@ietfa.amsl.com>; Sun, 1 Jan 2012 11:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.832
X-Spam-Level:
X-Spam-Status: No, score=-4.832 tagged_above=-999 required=5 tests=[AWL=1.767, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3ug3-t6tcpu for <oauth@ietfa.amsl.com>; Sun, 1 Jan 2012 11:41:43 -0800 (PST)
Received: from TX2EHSOBE004.bigfish.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 274FE11E8073 for <oauth@ietf.org>; Sun, 1 Jan 2012 11:41:43 -0800 (PST)
Received: from mail120-tx2-R.bigfish.com (10.9.14.241) by TX2EHSOBE004.bigfish.com (10.9.40.24) with Microsoft SMTP Server id 14.1.225.23; Sun, 1 Jan 2012 19:41:42 +0000
Received: from mail120-tx2 (localhost [127.0.0.1]) by mail120-tx2-R.bigfish.com (Postfix) with ESMTP id 77EB9802AA; Sun, 1 Jan 2012 19:41:42 +0000 (UTC)
X-SpamScore: -12
X-BigFish: VS-12(zz9371I936eK542M98dKzz1202hzzz2fh2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail120-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail120-tx2 (localhost.localdomain [127.0.0.1]) by mail120-tx2 (MessageSwitch) id 1325446902268626_30095; Sun, 1 Jan 2012 19:41:42 +0000 (UTC)
Received: from TX2EHSMHS040.bigfish.com (unknown [10.9.14.244]) by mail120-tx2.bigfish.com (Postfix) with ESMTP id 39D6160228; Sun, 1 Jan 2012 19:41:42 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS040.bigfish.com (10.9.99.140) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 1 Jan 2012 19:41:42 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0247.005; Sun, 1 Jan 2012 11:41:42 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?
Thread-Index: Acy6zxL5vGVpwSHMTIKvMNNyq2nAEgARlkuAAK9WC5AAKqDYgAH8LmDAACydzgAACThoEAAsT3KAAADdvvAAQKoiAAAQYozQ
Date: Sun, 01 Jan 2012 19:41:42 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F79132B@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> <F6FCE30E-20FE-4FCD-AC31-AB227A42F2D2@mnot.net> <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFEF8F1.9070406@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790F3D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4F00B0B6.4020209@gmx.de>
In-Reply-To: <4F00B0B6.4020209@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham <mnot@mnot.net>, Barry Leiba <barryleiba@computer.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2012 19:41:44 -0000

I'll note that in some profiles, the Bearer challenge may be the only one that the application may legally use.  In that case, there's no need to be able parse other challenges that the application can't fulfill in the first place.  The application would fail if an unsupported challenge type was used in either case.

As editor, I'll note that it doesn't seem like this discussion is moving the process forward anymore.  I believe that we've sufficiently clarified that you hold a different position than the working group consensus (which I realize is your right to do).  I also believe that the issues have been sufficiently well discussed on the list for all parties to be well informed.

Therefore, it seems that my earlier observation still holds:  In the New Year, the chairs and area directors (and possibly the OAuth design committee) will need to decide how to proceed on this issue.  It would be good to see the spec finished shortly.

				All the best,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Sunday, January 01, 2012 11:15 AM
To: Mike Jones
Cc: Barry Leiba; Mark Nottingham; OAuth WG
Subject: Re: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?

On 2011-12-31 20:40, Mike Jones wrote:
> Maybe I misunderstood your position.  If you agree that '\' may not occur in the INPUT string, then that issue can be closed.  That was the working group consensus position, per the cited e-mails.  I thought that you were arguing that syntax restrictions on the parameters should only be placed upon the OUTPUT string - which forces all implementations to support unnecessary encodings like "\a\b\c" for "abc".  Please let me know whether you're fine with the working group prohibiting the use of '\' in the input string as the spec presently currently does.

I'm not ok with that; because it's totally besides the point.

A recipient of WWW-Authenticate needs to use a proper parser for that header field. And if you use a proper parser, it doesn't matter.

I'm not saying anybody should send something like that. What I'm saying is that you shouldn't create an illusion that a recipient doesn't need to deal with it.

A recipient that can't handle quoted-string syntax in auth-params is broken. A recipient that can't handle token syntax in auth-params is broken as well.

Finally, please re-read what I said: the syntax of the challenge is defined by HTTP. The bearer spec can't change the parsing rules, because you need a generic parser to properly handle header fields containing multiple challenges. Once that generic parser has done it's job, it should not matter anymore whether a value used the token syntax or the quoted-string syntax, and also it shouldn't matter anymore where unescaping has taken place or not.

What you're trying to do is comparable with defining an XML vocabulary where you profile how an attribute is serialized (' vs  ", character encoding, escaping). Don't.

Best regards, Julian