Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-03.txt

Brian Campbell <bcampbell@pingidentity.com> Mon, 25 November 2019 20:42 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD05D120F6B for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 12:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9XPDJ07vkVm for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 12:42:23 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC8CC120965 for <oauth@ietf.org>; Mon, 25 Nov 2019 12:42:21 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id n21so17476886ljg.12 for <oauth@ietf.org>; Mon, 25 Nov 2019 12:42:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MeDNx50PjdSjjc0QxS971EvpUvYDALZObcC+lhZokgY=; b=OEU3xmBtkt733lmPAkvI+g0MWkOS3754mAGOUkKxYYTm2xfAOvkTGAGtj8X3XBs0/K 013R5BjgxumXm3NfMf3ul2WlKPUmrV+X1TVmVhUF2LQNjEs+EXUQHmZ2VcMLUPrFLVUv DW3qXTjpEXcQKr7+MzaMVGt6AdRmmQLmqcdPxZk/l1Fmj3M0Nw29I7mPfPtq35KHIbga yaFXYsC7FuDZMenIczORLRUZwgTqbM4EoG8XECkXPB9vds+j5Ev8796pEOpnNpQdnE7K kvGKqEk/JgZ6YclQiaDqq6mukdkRE+waLSOh9C0jmPruxrbwo6n7xt2oI7IJ1JVIiahe L+zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MeDNx50PjdSjjc0QxS971EvpUvYDALZObcC+lhZokgY=; b=NyFswHMiEdSlThSTVXsFgqE7TPdQ/c3PPnztFYwwQwW9DWplAKw8vLuqrhScMX8tlC aYPCA95nGfMa/VOQQ91hywRR7qzZvNxBMZItQ/kIrQ04GMsf0E09ZWxC/JuQWrpirH9H bdZbudOMbt/3c+El48qQVN2Q4oYLWsOqdmmPA1hJHjGvOZWmm2gzLIzRUWGiDsqg8kBZ ++9u+7hBQDrKv/sdEedVtzFPgov9GTCK2T3tVb96kHMmYf0a7obnyg6BrOBqnKsPGUxH fJS91hfBOfXOZT7PY0zav306rpN96KF0iQtLvIA48KAXE3uIkdG8dNbxs+uP7GcCR0iI EyvQ==
X-Gm-Message-State: APjAAAXB9i+w67SNzC0qdvuCiAg0hp/RhG9kSrGQWkeS3FSSWZSZ9EnL 8uLf69m3nF2Z1mxCm20fq8TGorTZ1DF1J2+kfMEv1CxQgTKgJqsetOdUzOecG6vkF8zxiQeYWWE HMmOZSjM/sfHDsaTPtrM=
X-Google-Smtp-Source: APXvYqzhi6nqMyQDh4zZrLtJZUeWi6nO02hGFWNvxe5tibRo8wXMSosSMjIPkaSLovKgF3xOqqLn0osZcHQXd0tDiE4=
X-Received: by 2002:a2e:b5d4:: with SMTP id g20mr18974259ljn.140.1574714539951; Mon, 25 Nov 2019 12:42:19 -0800 (PST)
MIME-Version: 1.0
References: <157288578137.16651.11095431477669936196.idtracker@ietfa.amsl.com> <6FC2E5A2-5399-46A5-8DF1-988D6E1942DC@lodderstedt.net> <CAB3n-Ya+WMrNdtBMfciCOQipjHfounNo0MThJObGmS7_XfzJmA@mail.gmail.com> <0C42020B-C454-4427-BB99-45C8152D330A@lodderstedt.net> <CAB3n-YZZzprjk-XvogK5Z-_Kkxhtqp9VotoSWcJ=C3Fdg_dBjA@mail.gmail.com>
In-Reply-To: <CAB3n-YZZzprjk-XvogK5Z-_Kkxhtqp9VotoSWcJ=C3Fdg_dBjA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 25 Nov 2019 13:41:53 -0700
Message-ID: <CA+k3eCQxCfhMyDrtCjcyU1a6-ZEP8xMVx+QTwFQz7gBF4awS6g@mail.gmail.com>
To: Ryan Kelly <rfkelly@mozilla.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6e188059831cc84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AIAuJsKc-SVfXzxTgOqEbX2epCs>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 20:42:25 -0000

On Sun, Nov 24, 2019 at 8:18 PM Ryan Kelly <rfkelly@mozilla.com> wrote:

>
> > The "matches as prefix of one of the URLs" part of Paragraph 3 seems a
>> bit unclear as well, given that there is no requirement that the
>> "locations" elements be well-formed URLs. Is this is simple string prefix
>> match, or some sort of path matching based on the components of the URL?
>>
>> simple string match
>>
>
> Does the AS need to take any particular care about resource names that
> might accidentally be prefixes of each other, such as "
> https://example.com/payments" and "https://example.com/payme"?  That
> seems really contrived, but perhaps I'm just not creative enough to think
> of a more realistic example.
>


That particular example is maybe somewhat contrived but that kind of thing
will undoubtedly occur at some point. I do think that some sort of path
matching would be more appropriate for this.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._