Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
Mike Jones <Michael.Jones@microsoft.com> Mon, 12 December 2011 17:29 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2C421F8BC4 for <oauth@ietfa.amsl.com>; Mon, 12 Dec 2011 09:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Level:
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.501, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EF+A07vq8ivF for <oauth@ietfa.amsl.com>; Mon, 12 Dec 2011 09:29:20 -0800 (PST)
Received: from VA3EHSOBE005.bigfish.com (va3ehsobe005.messaging.microsoft.com [216.32.180.31]) by ietfa.amsl.com (Postfix) with ESMTP id A0FBA21F8A62 for <oauth@ietf.org>; Mon, 12 Dec 2011 09:29:19 -0800 (PST)
Received: from mail163-va3-R.bigfish.com (10.7.14.252) by VA3EHSOBE005.bigfish.com (10.7.40.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 12 Dec 2011 17:29:16 +0000
Received: from mail163-va3 (localhost [127.0.0.1]) by mail163-va3-R.bigfish.com (Postfix) with ESMTP id 8118B70035A; Mon, 12 Dec 2011 17:29:16 +0000 (UTC)
X-SpamScore: -43
X-BigFish: VS-43(zz9371I936eKc85fh542M1432N98dKzz1202hzz8275ch1033IL8275bh8275dh186Mz2fh2a8h668h839h34h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail163-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail163-va3 (localhost.localdomain [127.0.0.1]) by mail163-va3 (MessageSwitch) id 1323710954916449_26744; Mon, 12 Dec 2011 17:29:14 +0000 (UTC)
Received: from VA3EHSMHS016.bigfish.com (unknown [10.7.14.252]) by mail163-va3.bigfish.com (Postfix) with ESMTP id D80AD2C0046; Mon, 12 Dec 2011 17:29:14 +0000 (UTC)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS016.bigfish.com (10.7.99.26) with Microsoft SMTP Server (TLS) id 14.1.225.22; Mon, 12 Dec 2011 17:29:12 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.220]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0247.005; Mon, 12 Dec 2011 09:28:54 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
Thread-Index: Acy47iNp13oTBlqgSku13D4DVT123QARXncAABBmrxA=
Date: Mon, 12 Dec 2011 17:28:54 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de>
In-Reply-To: <4EE634DE.4000902@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/mixed; boundary="_003_4E1F6AAD24975D4BA5B16804296739435F75F275TK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham <mnot@mnot.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 17:29:21 -0000
Julian, you should reread the (substantial) mailing list threads on this topic. As an example demonstrating the consensus, I've attached a pair of messages from a thread on this topic in which several people supported the input restriction to preclude character quoting. For instance, in this thread Eran Hammer-Lahav wrote: "All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever." You'll also find that all of these people then explicitly agreed with this restriction: John Bradley William Mills Phil Hunt Mike Jones I believe that there were others as well. Therefore, it is inaccurate to characterize this consensus decision as "essentially, the two of us disagreed". Best wishes, -- Mike -----Original Message----- From: Julian Reschke [mailto:julian.reschke@gmx.de] Sent: Monday, December 12, 2011 9:08 AM To: Mike Jones Cc: Mark Nottingham; Stephen Farrell; oauth@ietf.org Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14 Mike, On 2011-12-12 17:51, Mike Jones wrote: > ... > This parameter definition was a result of significant working group > discussion and reflects a solid consensus position. Using the quoted > ... I have to object to this summary. If there was consensus, it was rough at best. Essentially, the two of us disagreed, and nobody else said anything. So I'd characterize the current text as the editor's preference, not any kind of WG consensus. Further note that the current text is at odds with recommendations from a spec it normatively references (HTTPbis P7), so this issue will come up again during IETF Last Call. Best regards, Julian
--- Begin Message ---+1 From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills Sent: Monday, October 17, 2011 1:53 PM To: John Bradley; Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions +1 _____ From: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> To: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> Cc: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Monday, October 17, 2011 12:13 PM Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions +1 On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote: > All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever. > > EHL > >> -----Original Message----- >> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>] >> Sent: Monday, October 17, 2011 8:25 AM >> To: Eran Hammer-Lahav >> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >> Proposed Resolutions >> >> It is good that we have an agreement among a few people that more text >> needs to be provided in the core specification on the issue of the scope >> element. >> >> Now, there is still the question of what the text should say. The questions >> from my earlier mails are therefore still applicable and need an answer. >> >> Ciao >> Hannes >> >> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote: >> >>> I agree. >>> >>> EHL >>> >>>> -----Original Message----- >>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>] >>>> Sent: Monday, October 17, 2011 6:07 AM >>>> To: Richer, Justin P. >>>> Cc: Eran Hammer-Lahav; OAuth WG >>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>> >>>> The scopes cross all of the profiles. >>>> >>>> I expect that restricting the character sets for bearer tokens, MAC, >>>> and other future variants should be dealt with in those profiles. >>>> >>>> Without restricting scope in core, we leave the possibility of coming >>>> up with different rules in different profiles e.g. MAC vs Bearer. >>>> >>>> It is probably best to have one rule in core that works across all the >> profiles. >>>> >>>> John B. >>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote: >>>> >>>>> I think the limit makes sense, but then are tokens limited by the >>>>> same >>>> rules? They need to live in all the same places (query parameters, >>>> headers, >>>> forms) that scopes do and would be subject to the same kinds of >>>> encoding woes that scopes will. Or am I missing something obvious as >>>> to why this isn't a problem for tokens (both bearer tokens and the >>>> public part of MAC tokens) but is a problem for scope strings? >>>>> >>>>> -- Justin >>>>> ________________________________________ >>>>> From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] on behalf of >>>>> John Bradley [ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>] >>>>> Sent: Sunday, October 16, 2011 8:11 PM >>>>> To: Eran Hammer-Lahav >>>>> Cc: OAuth WG >>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>>> >>>>> Restricting it now in the core spec is going to save a lot of headaches >> later. >>>>> >>>>> John B. >>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote: >>>>> >>>>>> It's an open question for the list. >>>>>> >>>>>> EHL >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>] >>>>>>> Sent: Sunday, October 16, 2011 11:00 AM >>>>>>> To: Mike Jones >>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth >>>>>>> WG; Eran Hammer-Lahav >>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues >>>>>>> & Proposed Resolutions >>>>>>> >>>>>>> On 2011-10-16 18:44, Mike Jones wrote: >>>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide >>>>>>>> range of >>>>>>> characters in scope was unintentional. The design was limited to >>>>>>> allow simple ASCII strings and URIs." >>>>>>>> ... >>>>>>> >>>>>>> I see. Thanks. >>>>>>> >>>>>>> Is this going to be clarified in -23? >>>>>>> >>>>>>> Best regards, Julian >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org<mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org<mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org<mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth--- End Message ---
--- Begin Message ---+1 Phil @independentid www.independentid.com phil.hunt@oracle.com On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote: > All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever. > > EHL > >> -----Original Message----- >> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] >> Sent: Monday, October 17, 2011 8:25 AM >> To: Eran Hammer-Lahav >> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >> Proposed Resolutions >> >> It is good that we have an agreement among a few people that more text >> needs to be provided in the core specification on the issue of the scope >> element. >> >> Now, there is still the question of what the text should say. The questions >> from my earlier mails are therefore still applicable and need an answer. >> >> Ciao >> Hannes >> >> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote: >> >>> I agree. >>> >>> EHL >>> >>>> -----Original Message----- >>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >>>> Sent: Monday, October 17, 2011 6:07 AM >>>> To: Richer, Justin P. >>>> Cc: Eran Hammer-Lahav; OAuth WG >>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>> >>>> The scopes cross all of the profiles. >>>> >>>> I expect that restricting the character sets for bearer tokens, MAC, >>>> and other future variants should be dealt with in those profiles. >>>> >>>> Without restricting scope in core, we leave the possibility of coming >>>> up with different rules in different profiles e.g. MAC vs Bearer. >>>> >>>> It is probably best to have one rule in core that works across all the >> profiles. >>>> >>>> John B. >>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote: >>>> >>>>> I think the limit makes sense, but then are tokens limited by the >>>>> same >>>> rules? They need to live in all the same places (query parameters, >>>> headers, >>>> forms) that scopes do and would be subject to the same kinds of >>>> encoding woes that scopes will. Or am I missing something obvious as >>>> to why this isn't a problem for tokens (both bearer tokens and the >>>> public part of MAC tokens) but is a problem for scope strings? >>>>> >>>>> -- Justin >>>>> ________________________________________ >>>>> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of >>>>> John Bradley [ve7jtb@ve7jtb.com] >>>>> Sent: Sunday, October 16, 2011 8:11 PM >>>>> To: Eran Hammer-Lahav >>>>> Cc: OAuth WG >>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & >>>> Proposed Resolutions >>>>> >>>>> Restricting it now in the core spec is going to save a lot of headaches >> later. >>>>> >>>>> John B. >>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote: >>>>> >>>>>> It's an open question for the list. >>>>>> >>>>>> EHL >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de] >>>>>>> Sent: Sunday, October 16, 2011 11:00 AM >>>>>>> To: Mike Jones >>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth >>>>>>> WG; Eran Hammer-Lahav >>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues >>>>>>> & Proposed Resolutions >>>>>>> >>>>>>> On 2011-10-16 18:44, Mike Jones wrote: >>>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide >>>>>>>> range of >>>>>>> characters in scope was unintentional. The design was limited to >>>>>>> allow simple ASCII strings and URIs." >>>>>>>> ... >>>>>>> >>>>>>> I see. Thanks. >>>>>>> >>>>>>> Is this going to be clarified in -23? >>>>>>> >>>>>>> Best regards, Julian >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth--- End Message ---
- [OAUTH-WG] FW: [apps-discuss] APPS Area review of… Eran Hammer-Lahav
- [OAUTH-WG] FW: [apps-discuss] APPS Area review of… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke