Re: [OAUTH-WG] OMA Liaison Has Arrived!

[Barry Leiba <barryleiba@computer.org>]

On Mon, Aug 22, 2011 at 1:53 PM, Barry Leiba <barryleiba@computer.org> wrote:
> I intend to add the following to the response to this item:
> "The working group understands that client code needs to know whether
> to use and decode percent-encoding.  The issue is being discussed and
> tracked, and will be resolved before the final version of the bearer
> document is produced."


For confirmation: Murray Kucherawy, our liaison to OMA, delivered our
response yesterday (Tuesday, 23 August), and OMA has acknowledged it.
They thank us for our prompt response.

Barry, as chair

> -----------------------------------------------------------------
>
> The IETF OAuth working group thanks OMA ARC SEC for the liaison
> statement titled "OAuth discovery and specification availability",
> dated 18 July 2011.
>
> The OMA liaison statement asks the OAuth working group to address five
> issues, and our answers are as follows:
>
> •       Availability of the IETF OAuth specifications: especially
> [draft-ietf-oauth-v2] and [draft-ietf-oauth-v2-bearer], and also
> [draft-hammer-oauth-v2-mac-token],
> [draft-lodderstedt-oauth-revocation] and [draft-recordon-oauth-v2-ux].
>
> Answer:
> The IETF cannot guarantee publication dates, but we can give some
> best-guess timeframes.  At this writing, draft-ietf-oauth-v2 and
> draft-ietf-oauth-v2-bearer have completed Working Group last call and
> are undergoing their final revisions before being sent to the IESG.
> We expect the final versions of those documents to be in the RFC
> Editor queue around the end of September, though it could be later if
> issues come up in IETF-wide last call or during IESG evaluation.  The
> draft-hammer-oauth-v2-mac-token document has been replaced by
> draft-ietf-oauth-v2-http-mac, which is a working group document.  It
> is likely to be in the RFC Editor queue by the end of the year.
>
> The remaining two documents are not working group documents, and the
> working group can say nothing about their status.  The OAuth working
> group intends to revise its charter in the November timeframe, and
> it's possible that one or both of those documents could be adopted by
> the working group at that time, and we could have further information
> about target publication dates then.
>
> •       Availability of the OAuth Parameters Registry
>
> Answer:
> The draft-ietf-oauth-v2 document establishes the OAuth Parameters
> Registry (in section 11.2, as of draft version 20).  The registry will
> be available when the RFC is published, which will be some time after
> the document goes into the RFC Editor queue, depending upon the RFC
> Editor's load at the time.
>
> •       IETF intent to specify an OAuth Discovery mechanism
>
> Answer:
> There is interest among OAuth working group participants for
> specifying such a mechanism, but the work is not in the current
> charter.  It will likely be considered during the aforementioned
> charter update in (approximately) November.
>
> •       Considerations that can help implementors decide about the type of
> OAuth access token to deploy.
>
> Answer:
> There is no current work planned, but documents with such
> implementation advice might also be considered during the rechartering
> discussion.
>
> •       For bearer tokens: clarification whether the non-support of percent
> encoding for scope-v element of WWW-Authenticate Response Header Field
> grammar is intentional.
>
> Answer:
> In the bearer token document (Section 2.4 of
> draft-ietf-oauth-v2-bearer-08, "The WWW-Authenticate Response Header
> Field"), the "scope-v" element is unambiguously defined to allow a
> specific set of characters.  That set of characters does permit, but
> does not mandate, support for percent-encoding of characters.
>
> -----------------------------------------------------------------