Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)

John Bradley <ve7jtb@ve7jtb.com> Tue, 27 August 2019 10:52 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1121712021C for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 03:52:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OcdC_9tuZAhw for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2019 03:51:56 -0700 (PDT)
Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A38D912004A for <oauth@ietf.org>; Tue, 27 Aug 2019 03:51:56 -0700 (PDT)
Received: by mail-wm1-x341.google.com with SMTP id i63so2500528wmg.4 for <oauth@ietf.org>; Tue, 27 Aug 2019 03:51:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GEbvp8MXAlyqwo36eCQTpPEQxoMnfDCvSDq+TJc+psI=; b=qwr7bqkJdNXoVj0o8pPdqUgzTCZUMS/rWnRrc+OCPSzh5EonUg/8PbSTzxqMilpVDO oHo0IL1MPVafRMsGdBxRysPDbqoMSpDA+/8LcThEllmrMkuCSMcg1xtZnVBaMZTss2is NaTHuz6Qim/1EAXMgcD36xYLIJuAg3aO1Faw4rbZqk0SDw79EF3vY0C+a6QWq82AjOgp OWSO7sVoZreg0mYiEA1HGNl/Zhfb3MbFIjlASUj/vwkhAHfqptTroj5GnUrcUyIf9P/o jflHySsbFelDghLgVWLVKtltyyOze84LM6tDTwqykLssyGT2B7xVCmOLZgUVFqb1mJcs mbDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GEbvp8MXAlyqwo36eCQTpPEQxoMnfDCvSDq+TJc+psI=; b=GHG0L6V/B0p7Dj5zhto9KNaAIpKOuDFSKOOdGChVExdaUKXFnYrJcU9/qfrNrI6a9A gzY/012s3AjexDqZTpdXcsO5qFaJqVsBnAa20rX5AbxSCB1oAofJSV64/jgEz0OIBoja SIYVjKUmqzk5KDKovR9vnmS9Du3yFKvZoCVdcZUg/vbRXQthdWcnB35++p/DMUIh1yTO 1/b2U+L+nSaLoRN4DcDh2q6UO2RxhuNr+My9TuSot+guzQRbmCnd3zK4fkd6fcMlf6Cd HPuMn3XVtUqLw63c/BHdfignOUCxzK0L67PYyshEy+e7VDBJdJC+UryoHaT72S7LC3Wy 9YAw==
X-Gm-Message-State: APjAAAUp1t91eueHl7suPzqYDNbJINEE4GqksgMjX0YBIw2R4ZoW2jzq 15QGeHToUixZ2uydfgcEV712HLAJq7tFOAN1vp622w==
X-Google-Smtp-Source: APXvYqzT8ybrCE9gTGb8Gv0LwrHkVzQ6QPZsNZHvDO76Y8QGIdpAdSEZLLmPkeUEPjNitxQ5JTVZJqqZZXv69jNtJqs=
X-Received: by 2002:a05:600c:2111:: with SMTP id u17mr28921228wml.64.1566903114687; Tue, 27 Aug 2019 03:51:54 -0700 (PDT)
MIME-Version: 1.0
References: <20190826190427.A7DADB80BB9@rfc-editor.org> <CAAP42hAgNm=E1f6DU7pUH23NAoLW9=4CEKWTT7wgk3PY_5s33Q@mail.gmail.com>
In-Reply-To: <CAAP42hAgNm=E1f6DU7pUH23NAoLW9=4CEKWTT7wgk3PY_5s33Q@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Tue, 27 Aug 2019 12:51:42 +0200
Message-ID: <CAANoGhKTuEauUC-0f9bj8O=ewpNbN4a3NLDHLh3u45Tabt+SBA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, bayard.bell@twosigma.com, Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>, Roman Danyliw <rdd@cert.org>, rfc8252@ve7jtb.com, rfc8252@wdenniss.com, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008c79510591170fea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HyCKcvOSa4ZqWyCIZ6sZ3imkpCU>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 10:52:00 -0000

This is not really an eratta.  Asome point we need to update the BCP with a
updated RFC.   Perhaps the time is now to start a new draft that can
capture the changes in iOS, OSX and others.

John B.

On Mon, Aug 26, 2019, 10:46 PM William Denniss <wdenniss@google.com> wrote:

> Process-wise I'm not sure if errata should be used to capture changing
> implementation details like this. We expected the implementation details
> that we documented in the appendix to change, and explicitly stated that
> assumption. "The implementation details herein are considered accurate at
> the time of publishing but will likely change over time.".
>
> If updating those implementation details were in scope, then the proposed
> text should needs to be revised before being accepted due to some
> inaccuracies (e.g. SFSafariViewController is not a successor to
> ASWebAuthenticationSession).
>
> Best,
> William
>
> On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
>> The following errata report has been submitted for RFC8252,
>> "OAuth 2.0 for Native Apps".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid5848
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Bayard Bell <bayard.bell@twosigma.com>
>>
>> Section: Appendix B.1
>>
>> Original Text
>> -------------
>> Apps can initiate an authorization request in the browser, without
>> the user leaving the app, through the "SFSafariViewController" class
>> or its successor "SFAuthenticationSession", which implement the in-
>> app browser tab pattern.  Safari can be used to handle requests on
>> old versions of iOS without in-app browser tab functionality.
>>
>> Corrected Text
>> --------------
>> Apps can initiate an authorization request in the browser, without
>> the user leaving the app, through the "ASWebAuthenticationSession"
>> class or its successors "SFAuthenticationSession" and
>> "SFSafariViewController", which implement the in-app browser tab
>> pattern.  The first of these allows calls to a handler registered
>> for the AS URL, consistent with Section 7.2. The latter two classes,
>> now deprecated, can use Safari to handle requests on old versions of
>> iOS without in-app browser tab functionality.
>>
>> Notes
>> -----
>> SFAuthenticationSession documentation reflects deprecated status:
>>
>>
>> https://developer.apple.com/documentation/safariservices/sfauthenticationsession
>>
>> Here's the documentation for ASWebAuthenticationSession:
>>
>>
>> https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC8252 (draft-ietf-oauth-native-apps-12)
>> --------------------------------------
>> Title               : OAuth 2.0 for Native Apps
>> Publication Date    : October 2017
>> Author(s)           : W. Denniss, J. Bradley
>> Category            : BEST CURRENT PRACTICE
>> Source              : Web Authorization Protocol
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>