Re: [OAUTH-WG] OAuth Digest, Vol 111, Issue 28

Stacey Maes <samaes819@gmail.com> Tue, 23 January 2018 21:29 UTC

Return-Path: <samaes819@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F63012D835 for <oauth@ietfa.amsl.com>; Tue, 23 Jan 2018 13:29:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LY7gk4a7HQyD for <oauth@ietfa.amsl.com>; Tue, 23 Jan 2018 13:29:41 -0800 (PST)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B18012D833 for <oauth@ietf.org>; Tue, 23 Jan 2018 13:29:41 -0800 (PST)
Received: by mail-yb0-x230.google.com with SMTP id i12so750297ybj.7 for <oauth@ietf.org>; Tue, 23 Jan 2018 13:29:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=+qgWFf41E5Fn79HyKQfOie2NJwVvg7PPGMcNKt4uk4A=; b=Yc9ZGFHou29jai+w6l3xzAi38sXyaMc80MOJn2sGe2ZSLUG/eDzFNTq+LB9H+H/fNR iTRX9SPDTmdCEq8YFuoufwCVNYVveV5EBUtCWNw6WuZz+k4Njv0a2RktmmOw/p/KY3Dd rXsSdzmaYvEibUugsV/HiNYwFwhh341HKAA2i0Gnug0Th6EuXMrKKZIFTspsH2/K0o/P +VTAn+Ddpd/hANj0KwhIUzukH9CKrMhs4vIpBYKsn7jCFGR6AU1mVb3JlD66Z7pJl5sl WWV/9ANKm8jRh84rh6pll1KlLoOqOssRhmMeiHWTYrrxq5gdUfsvmPM4fkWuj+fUr8Fb g3eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=+qgWFf41E5Fn79HyKQfOie2NJwVvg7PPGMcNKt4uk4A=; b=Cbynbt8dkckKnIYnajegCHK7ZMYOZkif6WQgmAKwpJXvheLUl8KdwOsExBgMke/haA ib6IOkUPKnu1Ge7sN/LrW7XzJmViPj3fY7GWk09J1H9zD5vXH5btMU2ImRknyvmRROZE 29FCot/gmZO/SHPvHQ/F3GRrKWjeBk5JcrniaJfRgbCuDKRFr1l3mcsmNerVyfBRyN1b Y7cANLBMvjSO3rdU9Ybl8peeMXO9xvouSjG7TY5BuBuoFd3AS+D/Uzf2BEjad3FvkeX8 ZRUET1x05WPdDYUHzTkiHZKFAiEb99D9GUQu0I46y2XcGfBxChxctVnFQQT9YZ8pK5Ax Peyw==
X-Gm-Message-State: AKwxytcsNt3vhUbpqk/877QituULKIUDKHYEOX3nSnjDg5rlmubEf/VW 5xAkw3bGdNR5xNDzEeFCrqdfDGt6jRjlOBfLoLc=
X-Google-Smtp-Source: AH8x227SIBvoD2P/uQQ0gx1ZiiXC00yTGmfRgP7fSkBQjxBEcwylroQTvR5VNHbi7KGDtpg+bM+7R37mSXJLaaDfdC4=
X-Received: by 10.37.95.15 with SMTP id t15mr3694411ybb.453.1516742980264; Tue, 23 Jan 2018 13:29:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.63.3 with HTTP; Tue, 23 Jan 2018 13:29:39 -0800 (PST)
Received: by 10.37.63.3 with HTTP; Tue, 23 Jan 2018 13:29:39 -0800 (PST)
In-Reply-To: <CANEhPwLK7_e6JHKLpa9jAah7FGZXxwKzMwavQZb4gyedUqL=pg@mail.gmail.com>
References: <mailman.75.1516737610.10973.oauth@ietf.org> <CANEhPwLK7_e6JHKLpa9jAah7FGZXxwKzMwavQZb4gyedUqL=pg@mail.gmail.com>
From: Stacey Maes <samaes819@gmail.com>
Date: Tue, 23 Jan 2018 14:29:39 -0700
Message-ID: <CANEhPwJrjWKLXAQi4_ofAsqjV3T1M9MgVOpC97g9Z-KNntKJZw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="089e082696f88de65a0563783ec0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BqFGwx5tg8sgUOUXlwfDuvNhI6M>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 111, Issue 28
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 21:29:44 -0000

Help

On Jan 23, 2018 1:01 PM, <oauth-request@ietf.org> wrote:

Send OAuth mailing list submissions to
        oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
        oauth-request@ietf.org

You can reach the person managing the list at
        oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."


Today's Topics:

   1. Adam Roach's Discuss on draft-ietf-oauth-discovery-08: (with
      DISCUSS and COMMENT) (Adam Roach)


----------------------------------------------------------------------

Message: 1
Date: Mon, 22 Jan 2018 18:41:54 -0800
From: Adam Roach <adam@nostrum.com>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-oauth-discovery@ietf.org, Hannes Tschofenig
        <Hannes.Tschofenig@gmx.net>et>, oauth-chairs@ietf.org,
        Hannes.Tschofenig@gmx.net, oauth@ietf.org
Subject: [OAUTH-WG] Adam Roach's Discuss on
        draft-ietf-oauth-discovery-08: (with DISCUSS and COMMENT)
Message-ID:
        <151667531481.29516.15285531314696206411.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"

Adam Roach has entered the following ballot position for
draft-ietf-oauth-discovery-08: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks to everyone who worked on this specification. I think it's
well-written,
clear, and useful. I fully endorse publication, and intend to ballot "yes"
once
we come to an agreement on the issue I describe below.

The problem I'm running into is the URL synthesis rules described in section
3.1 for multi-tenancy engage in exactly the kind of behavior that RFC 5785
was
designed to head off: it creates URLs all over the path space of the
authority,
rather than coralling all synthesized URLs to live under only one top-level
directory. One of the key aspects of the principles of the web architecture
is
URI opacity <https://www.w3.org/TR/webarch/#uri-opacity>, which generally
precludes clients from synthesizing URLs. RFC 5785 was intended as a very
limited carve-out to the principle of URI opacity, and was carefully
limited to
a single top-level path element. This specification oversteps that
carve-out by
exploding the location that "Well-Known" synthesized URLs can appear: it
literally increases it from one location (the root) to infinite locations
(at
the end of any arbitrary path).

Fortunately, this defect is trivial to fix. Rather than placing .well-known
path components *after* the path identified by an issuer identifier, you
place
them *before* it, which amends this document's usage to be within the spirit
intended by RFC 5785. For example, the example in section 3.1:

     GET /issuer1/.well-known/oauth-authorization-server HTTP/1.1
     Host: example.com

Would instead become:

     GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1
     Host: example.com


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Section 1.1: [this is an editorial suggestion that I leave to the editors'
discretion] This document makes use of uncapitalized "must", "should", and
"may" in places. Please consider using the RFC 8174 boilerplate instead of
the
RFC 2119 boilerplate.

Section 7.2: [this is an important procedural comment that really should be
resolved prior to publication] The addition of restrictions to registries
established by RFC 6749 would seem to require that this document formally
include "Updates: RFC6749" in its metadata, as well as a mention of such an
update in its Abstract and Introduction sections.




------------------------------

Subject: Digest Footer

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------------------------------

End of OAuth Digest, Vol 111, Issue 28
**************************************