Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7642)
Warren Parad <wparad@rhosys.ch> Sun, 17 September 2023 11:32 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B21C14CF1C for <oauth@ietfa.amsl.com>; Sun, 17 Sep 2023 04:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVXoNe8rHSRZ for <oauth@ietfa.amsl.com>; Sun, 17 Sep 2023 04:32:13 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12CB1C14CE42 for <oauth@ietf.org>; Sun, 17 Sep 2023 04:32:13 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-5029d8e027cso1349703e87.1 for <oauth@ietf.org>; Sun, 17 Sep 2023 04:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; t=1694950330; x=1695555130; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EkObjMLJuUmRkiw8yOvhWpjHweKM1e47RlW82SH5xL0=; b=LlDnxM9LWvaEDnYd/T6RoPQBsrRM4tmWQ5DQfs30fLQeibEP525WfOr5BgI6bnhEkA G866ne89xCR15HYEni6tGip8QbYiziFP+erawT3YnAhki3vGiEgzgMKcjs2hln65Yt2/ ewVBcXP3HlPmHVZrBr0168fZI23AnUz4+E1qkImhmWh45O0FzVdZkZw1BCk8v4MwrmWS AWKC90PwlWpvaFNLP1jQkJwGLkMVMzP743f0/oYaDU+HBMfPicLR9AD8+lUTCutFQGRm 2o9f4BLBDHyx90+D86Xy4fe6648OmANbu10mLOQVCj3/i+xWtZ8TAtGXnhpMdswUJdEj 7ClA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694950330; x=1695555130; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EkObjMLJuUmRkiw8yOvhWpjHweKM1e47RlW82SH5xL0=; b=rxSOWMxhE+QxxZTeM27od9p2U+Cr6A2dWRcZqM0REYhdffbtH8Wss3+G30tbSSBOFB bpXVxqlbJRpl08G5FWBpgmvO3r5n91sUsgt6s10BpVMPlq23u6yfdRSGWBJn0bFOYjcw Dl9+ZpX/yDWRtcQNxvdnaGIIEVJMUU9zBTEBm+SZFCtJPIgQfZvT7ZGjNdD4fi8LMKIn vH1HN4PiB0j+8gPCZWKW/87ce6PKzCuFJVRiIyOnv/aKZlxzFgFnbaljCTWpOTuKgNaJ aPkOyV1ZVFE7H11zKULkRf6mmY6JB+q1aScYNk8gQne/zce4m9LaelfXECJQiyM6N9VR YHhg==
X-Gm-Message-State: AOJu0YzZfrROyltyvogAIFAgCB/s5+bkUrIqeR5DsdXU4ugitlr2Hmrv 1YFZKdjDkpcxp7EIsoziY+zNP+JIcTk10PPuQwnk
X-Google-Smtp-Source: AGHT+IHvAjWMA4oBboC4SFFm5JdMMBCtVFBF8qzC0nRrNsFB8j4Z3vM4/beCr10C9XKNBiLt5mot8T/dAhkyCE35QEA=
X-Received: by 2002:ac2:5455:0:b0:502:db66:142b with SMTP id d21-20020ac25455000000b00502db66142bmr4596758lfn.3.1694950330318; Sun, 17 Sep 2023 04:32:10 -0700 (PDT)
MIME-Version: 1.0
References: <20230917090031.C27FC7FDC1@rfcpa.amsl.com> <CAGBSGjqwqs-zNm-FOUEZwXGp4_0E=9VCA3k+zJ5snsm1HZaneA@mail.gmail.com> <CAJot-L0iORRVYOHh9=VzdydSO548_GpP68oUe7ZdtRnFJFm3JQ@mail.gmail.com> <000401d9e959$823f7be0$86be73a0$@gmail.com>
In-Reply-To: <000401d9e959$823f7be0$86be73a0$@gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sun, 17 Sep 2023 13:31:59 +0200
Message-ID: <CAJot-L2+L0S=323QinToi47qcqVE9eAUXZGCk0EMz3jRmKeudQ@mail.gmail.com>
To: w.fast.8@gmail.com
Cc: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000059d7b706058c6055"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LY_fvzZnydXzbto0VFfpa1OX-ww>
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7642)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Sep 2023 11:32:16 -0000
They are meant to be appositives, (not trying to be condescending, if you are unfamiliar with the english grammar term), except instead of inlined with commas, they use parentheses. Grammatically, the paragraph could have been rewritten as For example, an end-user, resource owner, can grant a printing service, client, access to her protected photos stored at a photo- sharing service, resource server, without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service, authorization server, which issues the printing service delegation- specific credentials, access token. If it was written that way instead, would it have been clearer? Personally I don't think it would be, but maybe I'm in the minority. *resource server* follows *photo-sharing service*, because *resource server* is the oauth 2 concept *resource server* entity that is being exemplified by the concrete scenario represented by the *photo-sharing service*. The photo-sharing service in this example is* the resource service, *from an OAuth perspective. Just like the server that the photo-sharing service trusts, is called *an authorization server*. The example exists to explain using a real world scenario these core entities in the OAuth paradigm. On Sun, Sep 17, 2023 at 1:24 PM <w.fast.8@gmail.com> wrote: > I'm especially confused by why 'photo-sharing service' is followed by > '(resource server)' in parentheses the first time and '(authorization > server)' in parentheses the second time. > > > > > > -- > > Wilhelm > > > > *Von:* Warren Parad <wparad@rhosys.ch> > *Gesendet:* 17 September 2023 12:51 > *An:* Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org> > *Cc:* RFC Errata System <rfc-editor@rfc-editor.org>; w.fast.8@gmail.com; > oauth@ietf.org > *Betreff:* Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7642) > > > > It does look confusing if we only look at that one sentence, but as soon > as you pull in the whole paragraph, it seems pretty clear > > > > https://www.rfc-editor.org/rfc/rfc6749 > > For example, an end-user (resource owner) can grant a printing > service (client) access to her protected photos stored at a photo- > sharing service (resource server), without sharing her username and > password with the printing service. Instead, she authenticates > directly with a server trusted by the photo-sharing service > (authorization server), which issues the printing service delegation- > specific credentials (access token). > > > > Arguably the only improvement here would be to outline the full case, by > adding something like: > > The printing service (client) uses the credentials (access token) to > access the photo-sharing service (resource server), by sending the > credentials to the server. When receiving the credentials (access token), > the photo-sharing service (resource server) verifies the credentials using > the trusted server (authorization server). > > > > But I think that's wholly unnecessary, since everything has been defined > in this case. You can't mistake the resource server for the authorization > server, because the resource server has already been defined to be the *photo-sharing > service.* That means the *(authorization server)* identification > appositive can only apply to the trusted server. The errata breaks the > pattern of the paragraph and introduces confusion because it fails to > define the terms authorization server and access token, which arguably is > the whole point of the example. > > > > On Sun, Sep 17, 2023 at 12:35 PM Aaron Parecki <aaron= > 40parecki.com@dmarc.ietf.org> wrote: > > I disagree with this errata. The original text is correctly representing > that the "photo-sharing service" trusts the authorization server. The > suggested text is ambiguous because it does not make clear which party is > trusting which other party. > > > > Aaron > > > > On Sun, Sep 17, 2023 at 11:00 AM RFC Errata System < > rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7642 > > -------------------------------------- > Type: Editorial > Reported by: Wilhelm Fast <w.fast.8@gmail.com> > > Section: 1 > > Original Text > ------------- > Instead, she authenticates directly with a server trusted by the > photo-sharing service (authorization server), which issues the printing > service delegation- > specific credentials (access token). > > Corrected Text > -------------- > Instead, she directly authenticates with a trusted server, the > authorization server, which issues delegation-specific credentials, known > as access tokens, to the printing service for controlled and secure access. > > Notes > ----- > The sentence is confusing, and the reader might confuse the Authorization > Server with the Resource Server. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6749 (draft-ietf-oauth-v2-31) > -------------------------------------- > Title : The OAuth 2.0 Authorization Framework > Publication Date : October 2012 > Author(s) : D. Hardt, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7… RFC Errata System
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Aaron Parecki
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Warren Parad
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Warren Parad
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Chris Smiley