Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)

William Denniss <wdenniss@google.com> Mon, 26 August 2019 20:46 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C8512011C for <oauth@ietfa.amsl.com>; Mon, 26 Aug 2019 13:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToqS3ebkYSCV for <oauth@ietfa.amsl.com>; Mon, 26 Aug 2019 13:46:38 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4B4E12004D for <oauth@ietf.org>; Mon, 26 Aug 2019 13:46:38 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id y8so13205003oih.10 for <oauth@ietf.org>; Mon, 26 Aug 2019 13:46:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=slSseVzVNhhqI2kmi/M10IDs6rOFwfr+LM2V/kbP7to=; b=bWp5LuDJfESDywAYr4/sB0DcBgOxpNeZt+0FmtrfVsfb4E/R9jwPr7At19rw9Do6yW WOPupZu8sM42u/HayYuBs1LUtqCNqypLNY/0ePM4x9tkGPs5WQVy+XEo32r6zSVgikRr 7hMj898QlPuMkz32S5/+XikIuFjBUzVvnMFLlgIR+SGSwyqFOkLXt+rbv7LCmHaC4hwp 33ap4Yo/PBzvE/KVAoivwnqR/8qAXfdr8d5uGQ4+6NCCyypNYeoYnztQDWpSAaS2oLGW KWC3uSRCZLBZ8iBKcau5s7o4iqoJY4Fzi8/VV/Pp5QYn0bDZy9vTdmqyVnUI/GWlf1LD Mf8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=slSseVzVNhhqI2kmi/M10IDs6rOFwfr+LM2V/kbP7to=; b=r39sDuXvjAfaOy8WmfkSmgWokGQQoClcQy476KvHe+ryTXH/TykT8k/ikcWZnuYO7C PLPDuQzTzNJ3VMFyZ4mFJlmazdmgtvJ91JRi1eoFhVV6kMbnCvSTVx1RxJaZldaeAhZc s26QpOA4AzRA382k9gVHAmvruM+dj+ewuOkykA++g+1Ce/GAU++6Kc50bkYfCQiEEC1c UxIYlaImuu8RIxWfGetUyfZEA2wXcEGc9Wxl7OMmi0UVNwFQC6FZH+sRTFnbPYCiPq7F TLHyy6v77Riu7iw08qfV7PlQTrTaTn8/czuCxnSsJqOrEJHl4Wk9qVRPWR7mfntyVQBn x21w==
X-Gm-Message-State: APjAAAUU1pV/Aa2c6q0fiBdsSaOTVF3HsZGf6WYq7DuYnFwhQ43c15DG FyqX2JAhxbWLFRdeyPCq87iYmZFvpwx+HpxLwKVfOA==
X-Google-Smtp-Source: APXvYqz9Y3IBgdI+yMYF1jFOlttbzv6+chUN+iR9e0ofXTi8evJdVurDDOqkicNWOWfy66BWExEpVBagFX679iFz+RA=
X-Received: by 2002:a05:6808:198:: with SMTP id w24mr13644933oic.53.1566852397442; Mon, 26 Aug 2019 13:46:37 -0700 (PDT)
MIME-Version: 1.0
References: <20190826190427.A7DADB80BB9@rfc-editor.org>
In-Reply-To: <20190826190427.A7DADB80BB9@rfc-editor.org>
From: William Denniss <wdenniss@google.com>
Date: Mon, 26 Aug 2019 13:46:25 -0700
Message-ID: <CAAP42hAgNm=E1f6DU7pUH23NAoLW9=4CEKWTT7wgk3PY_5s33Q@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, bayard.bell@twosigma.com, Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>, Roman Danyliw <rdd@cert.org>, rfc8252@ve7jtb.com, rfc8252@wdenniss.com, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000091125805910b40b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GB9vszCbUTIsTqpx__w41uWZQaI>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2019 20:46:41 -0000

Process-wise I'm not sure if errata should be used to capture changing
implementation details like this. We expected the implementation details
that we documented in the appendix to change, and explicitly stated that
assumption. "The implementation details herein are considered accurate at
the time of publishing but will likely change over time.".

If updating those implementation details were in scope, then the proposed
text should needs to be revised before being accepted due to some
inaccuracies (e.g. SFSafariViewController is not a successor to
ASWebAuthenticationSession).

Best,
William

On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System <
rfc-editor@rfc-editor.org> wrote:

> The following errata report has been submitted for RFC8252,
> "OAuth 2.0 for Native Apps".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid5848
>
> --------------------------------------
> Type: Technical
> Reported by: Bayard Bell <bayard.bell@twosigma.com>
>
> Section: Appendix B.1
>
> Original Text
> -------------
> Apps can initiate an authorization request in the browser, without
> the user leaving the app, through the "SFSafariViewController" class
> or its successor "SFAuthenticationSession", which implement the in-
> app browser tab pattern.  Safari can be used to handle requests on
> old versions of iOS without in-app browser tab functionality.
>
> Corrected Text
> --------------
> Apps can initiate an authorization request in the browser, without
> the user leaving the app, through the "ASWebAuthenticationSession"
> class or its successors "SFAuthenticationSession" and
> "SFSafariViewController", which implement the in-app browser tab
> pattern.  The first of these allows calls to a handler registered
> for the AS URL, consistent with Section 7.2. The latter two classes,
> now deprecated, can use Safari to handle requests on old versions of
> iOS without in-app browser tab functionality.
>
> Notes
> -----
> SFAuthenticationSession documentation reflects deprecated status:
>
>
> https://developer.apple.com/documentation/safariservices/sfauthenticationsession
>
> Here's the documentation for ASWebAuthenticationSession:
>
>
> https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC8252 (draft-ietf-oauth-native-apps-12)
> --------------------------------------
> Title               : OAuth 2.0 for Native Apps
> Publication Date    : October 2017
> Author(s)           : W. Denniss, J. Bradley
> Category            : BEST CURRENT PRACTICE
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>