Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 17 October 2011 16:28 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A10521F8CAB for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2011 09:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DP9VEm1JV+D1 for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2011 09:28:47 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 558CE21F8C55 for <oauth@ietf.org>; Mon, 17 Oct 2011 09:28:46 -0700 (PDT)
Received: (qmail invoked by alias); 17 Oct 2011 16:28:44 -0000
Received: from unknown (EHLO [10.2.210.110]) [12.229.246.2] by mail.gmx.net (mp067) with SMTP; 17 Oct 2011 18:28:44 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/I7k4ryz/I4kjsvOCcka07knMBNCEdSebttJmoQY Yr+IYthKXbKa/X
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452604B9102@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 17 Oct 2011 08:25:24 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DF35A25-989C-4BE4-8ACD-3520DDB8BDE9@gmx.net>
References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com><7A22B287-CC99-4FD7-84DF-8FF5DA871FC6@gmx.net><4E1F6AAD24975D4BA5B16804296739435C23CAFE@TK5EX14MBXC284.redmond.corp.microsoft.com><89BE3D9D-AB1D-44B2-BA7D-0C0D74BCA885@gmx.net> <4E1F6AAD24975D4BA5B16804296739435C23CC9D@TK5EX14MBXC284.redmond.corp.microsoft.com> <999913AB42CC9341B05A99BBF358718DAABC44@FIESEXC035.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739435C23EA6A@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9AB561.5060904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23F5B6@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9B1BA6.2060704@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B908A@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <9E5660BC-C797-454B-B2AF-48AB3E886AC7@ve7jtb.com> <B33BFB58CCC8BE4998958016839DE27EA769@IMCMBX01.MITRE.ORG> <62D2DE5D-AEBE-4A75-9C36-7A51E63DC7C3@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E723452604B9102@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 16:28:48 -0000

It is good that we have an agreement among a few people that more text needs to be provided in the core specification on the issue of the scope element. 

Now, there is still the question of what the text should say. The questions from my earlier mails are therefore still applicable and need an answer. 

Ciao
Hannes

On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote:

> I agree.
> 
> EHL
> 
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>> Sent: Monday, October 17, 2011 6:07 AM
>> To: Richer, Justin P.
>> Cc: Eran Hammer-Lahav; OAuth WG
>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>> Proposed Resolutions
>> 
>> The scopes cross all of the profiles.
>> 
>> I expect that restricting the character sets for bearer tokens, MAC, and other
>> future variants should be dealt with in those profiles.
>> 
>> Without restricting scope in core, we leave the possibility of coming up with
>> different rules in different profiles e.g. MAC vs Bearer.
>> 
>> It is probably best to have one rule in core that works across all the profiles.
>> 
>> John B.
>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote:
>> 
>>> I think the limit makes sense, but then are tokens limited by the same
>> rules? They need to live in all the same places (query parameters, headers,
>> forms) that scopes do and would be subject to the same kinds of encoding
>> woes that scopes will. Or am I missing something obvious as to why this isn't
>> a problem for tokens (both bearer tokens and the public part of MAC tokens)
>> but is a problem for scope strings?
>>> 
>>> -- Justin
>>> ________________________________________
>>> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of
>>> John Bradley [ve7jtb@ve7jtb.com]
>>> Sent: Sunday, October 16, 2011 8:11 PM
>>> To: Eran Hammer-Lahav
>>> Cc: OAuth WG
>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>> Proposed Resolutions
>>> 
>>> Restricting it now in the core spec is going to save a lot of headaches later.
>>> 
>>> John B.
>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote:
>>> 
>>>> It's an open question for the list.
>>>> 
>>>> EHL
>>>> 
>>>>> -----Original Message-----
>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>>>> Sent: Sunday, October 16, 2011 11:00 AM
>>>>> To: Mike Jones
>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth
>>>>> WG; Eran Hammer-Lahav
>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>>>>> Proposed Resolutions
>>>>> 
>>>>> On 2011-10-16 18:44, Mike Jones wrote:
>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide
>>>>>> range of
>>>>> characters in scope was unintentional. The design was limited to
>>>>> allow simple ASCII strings and URIs."
>>>>>> ...
>>>>> 
>>>>> I see. Thanks.
>>>>> 
>>>>> Is this going to be clarified in -23?
>>>>> 
>>>>> Best regards, Julian
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth