Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

John Bradley <ve7jtb@ve7jtb.com> Mon, 17 October 2011 13:07 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 323A721F8B90 for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2011 06:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oym1qRRUsOjK for <oauth@ietfa.amsl.com>; Mon, 17 Oct 2011 06:07:12 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 90E9621F8B79 for <oauth@ietf.org>; Mon, 17 Oct 2011 06:07:12 -0700 (PDT)
Received: by gyh20 with SMTP id 20so3620111gyh.31 for <oauth@ietf.org>; Mon, 17 Oct 2011 06:07:12 -0700 (PDT)
Received: by 10.68.34.138 with SMTP id z10mr38143163pbi.105.1318856831518; Mon, 17 Oct 2011 06:07:11 -0700 (PDT)
Received: from [10.10.1.58] ([209.118.182.66]) by mx.google.com with ESMTPS id z1sm58731292pbl.5.2011.10.17.06.07.09 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 17 Oct 2011 06:07:10 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27EA769@IMCMBX01.MITRE.ORG>
Date: Mon, 17 Oct 2011 06:07:07 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <62D2DE5D-AEBE-4A75-9C36-7A51E63DC7C3@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com><7A22B287-CC99-4FD7-84DF-8FF5DA871FC6@gmx.net><4E1F6AAD24975D4BA5B16804296739435C23CAFE@TK5EX14MBXC284.redmond.corp.microsoft.com><89BE3D9D-AB1D-44B2-BA7D-0C0D74BCA885@gmx.net> <4E1F6AAD24975D4BA5B16804296739435C23CC9D@TK5EX14MBXC284.redmond.corp.microsoft.com> <999913AB42CC9341B05A99BBF358718DAABC44@FIESEXC035.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739435C23EA6A@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9AB561.5060904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23F5B6@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9B1BA6.2060704@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B908A@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <9E5660BC-C797-454B-B2AF-48AB3E886AC7@ve7jtb.com> <B33BFB58CCC8BE4998958016839DE27EA769@IMCMBX01.MITRE.ORG>
To: "Richer, Justin P." <jricher@mitre.org>
X-Mailer: Apple Mail (2.1251.1)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 13:07:13 -0000

The scopes cross all of the profiles.

I expect that restricting the character sets for bearer tokens, MAC, and other future variants should be dealt with in those profiles. 

Without restricting scope in core, we leave the possibility of coming up with different rules in different profiles e.g. MAC vs Bearer.

It is probably best to have one rule in core that works across all the profiles.

John B.
On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote:

> I think the limit makes sense, but then are tokens limited by the same rules? They need to live in all the same places (query parameters, headers, forms) that scopes do and would be subject to the same kinds of encoding woes that scopes will. Or am I missing something obvious as to why this isn't a problem for tokens (both bearer tokens and the public part of MAC tokens) but is a problem for scope strings?
> 
> -- Justin
> ________________________________________
> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of John Bradley [ve7jtb@ve7jtb.com]
> Sent: Sunday, October 16, 2011 8:11 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &    Proposed Resolutions
> 
> Restricting it now in the core spec is going to save a lot of headaches later.
> 
> John B.
> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote:
> 
>> It's an open question for the list.
>> 
>> EHL
>> 
>>> -----Original Message-----
>>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>> Sent: Sunday, October 16, 2011 11:00 AM
>>> To: Mike Jones
>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth WG;
>>> Eran Hammer-Lahav
>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>>> Proposed Resolutions
>>> 
>>> On 2011-10-16 18:44, Mike Jones wrote:
>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide range of
>>> characters in scope was unintentional. The design was limited to allow simple
>>> ASCII strings and URIs."
>>>> ...
>>> 
>>> I see. Thanks.
>>> 
>>> Is this going to be clarified in -23?
>>> 
>>> Best regards, Julian
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth