IETF Logo Mail Archive

Re: [OAUTH-WG] Section 7.2

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 15 June 2012 18:28 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D1421F85A3 for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:28:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.339
X-Spam-Level:
X-Spam-Status: No, score=-102.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5TegI8jN416B for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:28:11 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 9792E21F859A for <oauth@ietf.org>; Fri, 15 Jun 2012 11:28:10 -0700 (PDT)
Received: (qmail invoked by alias); 15 Jun 2012 18:28:09 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.112]) [88.115.216.191] by mail.gmx.net (mp027) with SMTP; 15 Jun 2012 20:28:09 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+ZwnhSrJyZrtGq2Tzaoro6M3F8Y9C7kqsKzJ0eBc VBdzufTs12V2zh
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366539839@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Fri, 15 Jun 2012 21:28:07 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <3929B3F4-D3B3-4CAB-BB22-CFA5BFBBE8E5@gmx.net>
References: <0CBAEB56DDB3A140BA8E8C124C04ECA201073394@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B1680429673943665394D7@TK5EX14MBXC284.redmond.corp.microsoft.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2010734C5@P3PWEX2MB008.ex2.secureserver.net> <0CBAEB56DDB3A140BA8E8C124C04ECA201073573@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B168042967394366539839@TK5EX14MBXC284.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 7.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:28:12 -0000

Hi Mike, 

I personally would find it better to have fewer SHOULDs. Most of them have been there for a long time and so it is a bit late to complain but the challenge for protocol architectures is to figure out under what conditions they should do certain things. 

Additionally, I don't buy the argument that a server should not provide error responses (or to be only very brief, or even misleading) for a security point of view because attackers typically know more than ordinary developers or users and so you end up with a system that the normal user is unable to work with (in a failure case) but adversaries nevertheless get what they want. This comment relates to the first sentence that gives me the impression that the server may not send any error message in case of a failure, which sounds strange to me. 

Ciao
Hannes

On Jun 15, 2012, at 4:15 AM, Mike Jones wrote:

> Thanks for writing the text below.  It looks fine to me.  About adding the other error parameters as suggestions, that seems like a reasonable thing to do.  How about the text at the end below, which adds mentions of error_description and error_uri?
>  
> 7.2.  Error Response
>  
>    If a resource access request fails, the resource server SHOULD inform
>    the client of the error.  While the specifics of such error responses
>    are beyond the scope of this specification, this documents establishes
>    a common registry for error values to be shared among OAuth token
>    authentication schemes.
>  
>    New authentication schemes designed primarily for OAuth token
>    authentication SHOULD define a mechanism for providing an
>    error status code to the client, in which the error values allowed are
>    registered in the error registry established by this specification. Such
>    schemes MAY limit the set of valid error codes to a subset of the
>    registered values. If the error code is returned using a named parameter,
>    the parameter name SHOULD be "error".
>  
>    Other schemes capable of being used for OAuth token authentication, but
>    not primarily designed for that purpose, MAY bind their error values to the
>    registry in the same manner.
>  
>    New authentication schemes MAY choose to also specify the use of the
>    "error_description" and "error_uri" parameters to return error information
>    in a manner parallel to their usage in this specification.
>  
>  
>                                                             -- Mike
>  
> P.S.  If you already have the text you wrote in a copy of the draft, you should apply these spelling corrections:
>                desgined -> designed
>                authentiction -> authentication
>  
> -----Original Message-----
> From: Eran Hammer [mailto:eran@hueniverse.com] 
> Sent: Thursday, June 14, 2012 3:29 PM
> To: Eran Hammer; Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> Subject: RE: [OAUTH-WG] Section 7.2
>  
> Mike - if you want to add the other error parameters as suggestions, that would be fine by me.
>  
> EH
>  
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Eran Hammer
> > Sent: Thursday, June 14, 2012 3:23 PM
> > To: Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> > Subject: Re: [OAUTH-WG] Section 7.2
> >
> > 7.2.  Error Response
> >
> >    If a resource access request fails, the resource server SHOULD inform
> >    the client of the error.  While the specifics of such error responses
> >    are beyond the scope of this specification, this documents establishes
> >    a common registry for error values to be shared among OAuth token
> >    authentication schemes.
> >
> >    New authentication schemes desgined primarily for OAuth token
> >    authentiction SHOULD define a mechanism for providing an
> >    error status code to the client, in which the error values allowed are
> >    registered in the error registry established by this specification. Such
> >    schemes MAY limit the set of valid error codes to a subset of the
> >    registered values. If the error code is returned using a named parameter,
> >    the parameter name SHOULD be "error".
> >
> >    Other schemes capable of being used for OAuth token authentication, but
> >    not primarily designed for that purpose, MAY bind their error values to the
> >    registry in the same manner.
> >
> > EH
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email