Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?

Benjamin Kaduk <kaduk@mit.edu> Mon, 27 April 2020 22:25 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612973A0CB8 for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 15:25:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukAP1PNdOKuq for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 15:25:45 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D6E3A0D29 for <oauth@ietf.org>; Mon, 27 Apr 2020 15:25:36 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03RMPTWW023764 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Apr 2020 18:25:31 -0400
Date: Mon, 27 Apr 2020 15:25:28 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Justin Richer <jricher@mit.edu>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Message-ID: <20200427222528.GG27494@kduck.mit.edu>
References: <A680BD1A-1E79-40C0-B325-91EEEFD7BDA5@lodderstedt.net> <CALAqi_-xtfcrWg0bvMTae9GkbOzCorNENpPiwt0kjzw5sgn_Mg@mail.gmail.com> <32A77307-BFE4-4A0E-99F6-B9567DF38645@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <32A77307-BFE4-4A0E-99F6-B9567DF38645@mit.edu>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4UnSp7g8D7H5m1H7D0uAvUavKPw>
Subject: Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 22:25:54 -0000

On Mon, Apr 27, 2020 at 12:58:09PM -0400, Justin Richer wrote:
> I agree that any URI could be used but that it MUST be understood by the AS to be local to the AS (and not something that can be impersonated by an attacker). I wouldn’t even go so far as RECOMMENDED, but it’s certainly an option.

IIUC BCP 190 has similar thoughts on the matter...

-Ben