Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
Mike Jones <Michael.Jones@microsoft.com> Wed, 25 January 2012 00:03 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D00821F85D7; Tue, 24 Jan 2012 16:03:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.788
X-Spam-Level:
X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[AWL=-0.189, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQWOi+AmReoS; Tue, 24 Jan 2012 16:03:17 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id C1ED121F8596; Tue, 24 Jan 2012 16:03:17 -0800 (PST)
Received: from mail179-ch1-R.bigfish.com (10.43.68.251) by CH1EHSOBE008.bigfish.com (10.43.70.58) with Microsoft SMTP Server id 14.1.225.23; Wed, 25 Jan 2012 00:03:17 +0000
Received: from mail179-ch1 (localhost [127.0.0.1]) by mail179-ch1-R.bigfish.com (Postfix) with ESMTP id 2F4FC260194; Wed, 25 Jan 2012 00:03:17 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I936eK542M1432N98dKzz1202hzz1033IL8275dhz2fhc1bhc31hc1ah2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-FB-SS: 13,
Received-SPF: pass (mail179-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail179-ch1 (localhost.localdomain [127.0.0.1]) by mail179-ch1 (MessageSwitch) id 13274497977629_28206; Wed, 25 Jan 2012 00:03:17 +0000 (UTC)
Received: from CH1EHSMHS007.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.247]) by mail179-ch1.bigfish.com (Postfix) with ESMTP id F16F7180046; Wed, 25 Jan 2012 00:03:16 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS007.bigfish.com (10.43.70.7) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 25 Jan 2012 00:03:16 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.12]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Tue, 24 Jan 2012 16:03:15 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
Thread-Index: Acza9LphO1mPc9gpRTC5FQtXgyb9wg==
Date: Wed, 25 Jan 2012 00:03:15 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366380094@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: The IESG <iesg@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2012 00:03:18 -0000
Per the discussion at http://www.ietf.org/mail-archive/web/oauth/current/msg08040.html, the working group's rationale for supporting quoted-string but not token syntax for these parameters, and for requiring that backslash ('\') quoting not be used when producing them is as follows: "Once again, the current text reflects a consensus decision of the working group. It was viewed that requiring support for multiple ways of doing the same thing unnecessarily complicated implementations without any compensating benefit; better to support one syntax for each semantic operation and require all implementations to use it." Despite Julian's remarks below, the syntax in the Bearer spec *is* compatible with standard parameter parsers, and so no interoperability problems are created by restricting the parameter syntax to a subset of the syntax allowed by HTTPbis. No non-standard code is needed to use parameters in the manner described in the Bearer spec. The current text is the result of thorough and informed discussion among the working group, and reflects the best consensus available as I understand it in my role as editor, attempting to accurately represent the working group's decisions and rationale. Best wishes, -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Julian Reschke Sent: Tuesday, January 24, 2012 3:24 PM To: ietf@ietf.org Cc: The IESG; oauth@ietf.org Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard On 2012-01-23 16:58, Julian Reschke wrote: > On 2012-01-23 16:46, The IESG wrote: >> >> The IESG has received a request from the Web Authorization Protocol >> WG >> (oauth) to consider the following document: >> - 'The OAuth 2.0 Authorization Protocol: Bearer Tokens' >> <draft-ietf-oauth-v2-bearer-15.txt> as a Proposed Standard ... > > Please see my comments in > <https://www.ietf.org/mail-archive/web/oauth/current/msg08120.html> > which I think have not been addressed. > ... In an off-list conversation I heard that what I said before may not be as clear as it could be. So... 1) draft-ietf-oauth-v2-bearer-15 defines a new HTTP authentication scheme. 2) In the IANA considerations, it references the registration procedure defined in <http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-17#section-2.3> (now -18, but that doesn't matter here). 3) That document recommends in <http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-17#section-2.3.1>: o The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes. When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients can use a generic parser that applies to all authentication schemes. 4) draft-ietf-oauth-v2-bearer-15 ignores this recommendation. It has been mentioned that it might not have ignored it if it had UPPERCASE requirements, but in HTTPbis we try to restrict BCP14 keywords to the actual protocol, not on recommendations on other specs. 5) The registration requirement for a new scheme is "IETF review", which RFC 5226 defines in <http://tools.ietf.org/html/rfc5226#section-4.1> as: IETF Review - (Formerly called "IETF Consensus" in [IANA-CONSIDERATIONS]) New values are assigned only through RFCs that have been shepherded through the IESG as AD- Sponsored or IETF WG Documents [RFC3932] [RFC3978]. The intention is that the document and proposed assignment will be reviewed by the IESG and appropriate IETF WGs (or experts, if suitable working groups no longer exist) to ensure that the proposed assignment will not negatively impact interoperability or otherwise extend IETF protocols in an inappropriate or damaging manner. In this case the WG exists (it's HTTPbis), and the OAuth got two reviews from HTTPbis pointing out the problem -- from Mark Nottingham, the WG chair, and myself, one of the authors. And yes, I believe the way OAuth defines the syntax *will* impact interoperability. Also, I haven't seen any explanation why OAuth can not follow the recommendation from HTTPbis. Hope this clarifies things, Julian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mark Nottingham
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Martin Rex
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Bjoern Hoehrmann
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Martin Rex
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Justin Richer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… William Mills
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Peter Saint-Andre
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer