Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

[Hannes Tschofenig <hannes.tschofenig@gmx.net>]

It is good that we have an agreement among a few people that more text needs to be provided in the core specification on the issue of the scope element. 

Now, there is still the question of what the text should say. The questions from my earlier mails are therefore still applicable and need an answer. 

Ciao
Hannes

On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote:

> I agree.
> 
> EHL
> 
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>> Sent: Monday, October 17, 2011 6:07 AM
>> To: Richer, Justin P.
>> Cc: Eran Hammer-Lahav; OAuth WG
>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>> Proposed Resolutions
>> 
>> The scopes cross all of the profiles.
>> 
>> I expect that restricting the character sets for bearer tokens, MAC, and other
>> future variants should be dealt with in those profiles.
>> 
>> Without restricting scope in core, we leave the possibility of coming up with
>> different rules in different profiles e.g. MAC vs Bearer.
>> 
>> It is probably best to have one rule in core that works across all the profiles.
>> 
>> John B.
>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote:
>> 
>>> I think the limit makes sense, but then are tokens limited by the same
>> rules? They need to live in all the same places (query parameters, headers,
>> forms) that scopes do and would be subject to the same kinds of encoding
>> woes that scopes will. Or am I missing something obvious as to why this isn't
>> a problem for tokens (both bearer tokens and the public part of MAC tokens)
>> but is a problem for scope strings?
>>> 
>>> -- Justin
>>> ________________________________________
>>> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of
>>> John Bradley [ve7jtb@ve7jtb.com]
>>> Sent: Sunday, October 16, 2011 8:11 PM
>>> To: Eran Hammer-Lahav
>>> Cc: OAuth WG
>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>> Proposed Resolutions
>>> 
>>> Restricting it now in the core spec is going to save a lot of headaches later.
>>> 
>>> John B.
>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote:
>>> 
>>>> It's an open question for the list.
>>>> 
>>>> EHL
>>>> 
>>>>> -----Original Message-----
>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>>>> Sent: Sunday, October 16, 2011 11:00 AM
>>>>> To: Mike Jones
>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth
>>>>> WG; Eran Hammer-Lahav
>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>>>>> Proposed Resolutions
>>>>> 
>>>>> On 2011-10-16 18:44, Mike Jones wrote:
>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide
>>>>>> range of
>>>>> characters in scope was unintentional. The design was limited to
>>>>> allow simple ASCII strings and URIs."
>>>>>> ...
>>>>> 
>>>>> I see. Thanks.
>>>>> 
>>>>> Is this going to be clarified in -23?
>>>>> 
>>>>> Best regards, Julian
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth