Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

William Mills <> Tue, 03 January 2012 19:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2355B11E80E3 for <>; Tue, 3 Jan 2012 11:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -16.437
X-Spam-Status: No, score=-16.437 tagged_above=-999 required=5 tests=[AWL=1.161, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JlJoCdgqCOg9 for <>; Tue, 3 Jan 2012 11:44:46 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 977DA11E80E1 for <>; Tue, 3 Jan 2012 11:44:45 -0800 (PST)
Received: from [] by with NNFMP; 03 Jan 2012 19:44:40 -0000
Received: from [] by with NNFMP; 03 Jan 2012 19:44:40 -0000
Received: from [] by with NNFMP; 03 Jan 2012 19:44:40 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 47976 invoked by uid 60001); 3 Jan 2012 19:44:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1325619879; bh=t6+dRNPIJTXqW4c3P8lA6UeuRiAtUnIaILIXRe555ik=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=lc+0P39tw/G4zXx8y2T5iZ4v0rPlJv87m48UyfALXrVruP3lrs/+xr1HQS7+qUGocSsw8BYdf0EgW1urf6jQeQghieTjIYDIrBd4BrFVMjaQlKL7u7QcA4l68KfUMo1k/WtJisSWTzW7VSLKYuGV5Orr+WDjXfVx71LtkxvBD6Q=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=VTUm2VtmZDQVZQlVYMdcv/xmvfd53dbWNwve7NLfEfaccPy9Pxnv1hilpK/OHIiRorPaWKim4hRxBXcUs5Ye5dJhLFnoVwJqxBqEWDJNTttbh9CaBQyUS7zwXmOmKU+nUOTgHhsB6H8QAQ6aphVx012nkd8qmLarQ+MAl0I82yY=;
X-YMail-OSG: 0p_WMWcVM1lgxegCDGaBR7l5Q7pDXs8V9lhlU3qQh5gAcSV 7D0KHvrUTe36JI2sN5Tb7kkz3rTyDmEk6oinQScTNWjTjzaZjm5KD7toqrV7 QgaYiqTk9cmk9PvjZwNSzrHGbTMA_kzmvcY6lD9zBMyJgwvBb3Wu377OWVcK zAgwyzk_yh9htC2aNdj79Esg64FD8l4vT_eLc1TPQikRylwAJNPBsq4dqQdp xp7pWwvRsShPqhauYQNLvLZbn_jDveho.TRafcZ6K8r7yH3OHRkcaJAdl3iE Squs2S5V2MJqYfX8.nMvOcwANB2KImYc850SkhWs7YoPpkuB4IAepZXXkhpl bOTZ5Ki3rGPSmM7mMuUHNDg84I8BD1nEGPU4DsDSwqzWngtf1gY0_iPJOspl 8XiLsd8kPyj_.Iu0efsERu5T7AHlSzTwRBA--
Received: from [] by via HTTP; Tue, 03 Jan 2012 11:44:39 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <> <> <> <> <> <> <>
Message-ID: <>
Date: Tue, 03 Jan 2012 11:44:39 -0800
From: William Mills <>
To: William Mills <>, Mike Jones <>, Julian Reschke <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="767760015-608514281-1325619879=:36939"
Cc: Mark Nottingham <>, Barry Leiba <>, OAuth WG <>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Jan 2012 19:44:48 -0000

By "parameter syntax" I mean the syntax of the Authentication HTTP header.

 From: William Mills <>
To: Mike Jones <>; Julian Reschke <> 
Cc: Mark Nottingham <>; Barry Leiba <>; OAuth WG <> 
Sent: Tuesday, January 3, 2012 11:35 AM
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?

Is all this only around the scope parameter?  My mail cited below is with regards to the character set for a valid scope parameter, which we should be able to define and then lean on the HTTPbis spec for the actual parameter syntax.

 From: Mike Jones <>
To: Julian Reschke <> 
Cc: Mark Nottingham <>; Barry Leiba <>; OAuth WG <> 
Sent: Friday, December 30, 2011 3:19 PM
Subject: Re: [OAUTH-WG] auth-param syntax, was:  OK to post OAuth Bearer draft 15?
I did already back the statement that this is the working group consensus with the e-mails attached in this note sent to you on December 12, 2011:

But since that apparently wasn't convincing to you that this working group decision represents more than "just me disagreeing with you", here are references to individual messages referenced in the above e-mail:
  - Eran Hammer-Lahav:
  - John Bradley:
  - William Mills:
  - Mike Jones:
  - Phil Hunt:
  - Justin Richer:

As for your assertion that the specs are in conflict, yes, the Bearer spec includes a different decision than a RECOMMENDED clause in the HTTPbis spec (which was added after the Bearer text was already in place).  However, it is not violating any MUST clauses in the HTTPbis spec.  Given that no MUSTS are violated, I don't see it mandatory for this tension to be resolved in favor of one spec or the other in order for both to be approved as RFCs.  I look forward to seeing that happen soon in both cases (and for the OAuth core spec as well).

                Best wishes,
                -- Mike

-----Original Message-----
From: Julian Reschke [] 
Sent: Friday, December 30, 2011 2:26 AM
To: Mike Jones
Cc: Barry Leiba; Mark Nottingham; OAuth WG
Subject: Re: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?

On 2011-12-29 22:18, Mike Jones wrote:
> You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in HTTPbis. Just state the names of the parameters, their syntax *after* parsing and their semantics."
> About some of Mark Nottingham's comments, Barry wrote "Let me point out that "this represents working-group consensus" is not always a valid response.  If the working group has actually considered the *issue*, that might be OK.  But if there's consensus for the chosen solution and someone brings up a *new* issue with it, that issue needs to be addressed anew."
> Relative to these two statements, I believe that I
 should remark at this point that your proposed semantics of only considering the syntax after potential quoting was explicitly considered earlier by the working group and rejected.  The consensus, instead, was for the present "no quoting will occur for legal inputs" semantics.

It would be helpful if you could back this statement with pointers to mails. As far as I can tell it's just you disagreeing with me.

Back to the facts:

a) the bearer spec defines an HTTP authentication scheme, and normatively refers to HTTPbis Part7 for that

b) HTTPbis recommends new scheme definitions not to have their own ABNF, as the header field syntax is defined by HTTPbis, not the individual scheme

c) the bearer spec defines it's own ABNF nevertheless

So the two specs are in conflict, and we should resolve the conflict one way or the other.

If you disagree with the recommendation in HTTPbis, then you really really should
 come over to HTTPbis WG and argue your point of view.

If you agree with it, but think that the bearer spec can't follow the recommendation, then it would be good to explain the reasoning (optimally in the spec).

If you agree with it, and think the bearer spec *could* follow it, then... change it, by all means.

Anyway, if this issue isn't resolved before IETF LC then it will be raised again at that time.

> I believe that in the New Year the chairs and area directors will need to decide how to proceed on this issue.  (The working group consensus, as I see it, is already both well-informed and clear on this point, but I understand that that's not the only consideration.)  It would be good to see the spec finished shortly.
> ...

Best regards, Julian

OAuth mailing list

OAuth mailing list