Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
Julian Reschke <julian.reschke@gmx.de> Sat, 31 December 2011 11:58 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A6021F8464 for <oauth@ietfa.amsl.com>; Sat, 31 Dec 2011 03:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.304
X-Spam-Level:
X-Spam-Status: No, score=-103.304 tagged_above=-999 required=5 tests=[AWL=-0.705, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NySt5FnAo+C2 for <oauth@ietfa.amsl.com>; Sat, 31 Dec 2011 03:58:53 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id D155B21F8463 for <oauth@ietf.org>; Sat, 31 Dec 2011 03:58:52 -0800 (PST)
Received: (qmail invoked by alias); 31 Dec 2011 11:58:50 -0000
Received: from p3EE26C70.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.108.112] by mail.gmx.net (mp024) with SMTP; 31 Dec 2011 12:58:50 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18zqolcocgzUuac5pglPBlVHlkEpTqhP1bXbkhzDE piAURjndrruUrI
Message-ID: <4EFEF8F1.9070406@gmx.de>
Date: Sat, 31 Dec 2011 12:58:41 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> <F6FCE30E-20FE-4FCD-AC31-AB227A42F2D2@mnot.net> <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham <mnot@mnot.net>, Barry Leiba <barryleiba@computer.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Dec 2011 11:58:54 -0000
On 2011-12-31 00:19, Mike Jones wrote: > I did already back the statement that this is the working group consensus with the e-mails attached in this note sent to you on December 12, 2011: > - http://www.ietf.org/mail-archive/web/oauth/current/msg08042.html I replied in <http://www.ietf.org/mail-archive/web/oauth/current/msg08043.html>: "I'm not disagreeing with the decision not to allow "\" in the value. What I'm disagreeing with is writing the ABNF in a way that will make it likely for implementers to special-case OAuth parameters when they should not." So you're citing a consensus for a related but different question. I recommend to read the mailing thread to the end. > As for your assertion that the specs are in conflict, yes, the Bearer spec includes a different decision than a RECOMMENDED clause in the HTTPbis spec (which was added after the Bearer text was already in place). However, it is not violating any MUST clauses in the HTTPbis spec. Given that no MUSTS are violated, I don't see it mandatory for this tension to be resolved in favor of one spec or the other in order for both to be approved as RFCs. I look forward to seeing that happen soon in both cases (and for the OAuth core spec as well). As a matter of fact, the HTTPbis P7 text on considerations for new schemes doesn't use any BCP14 keywords at all. That's on purpose, because we think they should be used with care, and in particular that they should only be used to discuss the protocol, not the style of other specifications. So it's really not relevant; what's essential is the intent of the spec text, and I believe that is VERY clear: o The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes. When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients can use a generic parser that applies to all authentication schemes. (Note the "cannot"). So again, if you disagree with this statement, please argue your case in the HTTPbis WG. If you *do* agree, but somehow feel that the bearer spec can't do this, the bearer spec should document the reason (just like when an implementation fails to implement a SHOULD). As to the question of timing (when certain paragraphs were added): yes, HTTPbis P7 changed based on feedback and review of the OAuth bearer spec (triggered by James Manger). That's a feature. If it hadn't, for instance, the bearer spec wouldn't conform to the base grammar *at all*. See <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/195>. Best regards, Julian
- [OAUTH-WG] OK to post OAuth Bearer draft 15? Mike Jones
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? Mark Nottingham
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? Mike Jones
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? S Moonesamy
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? Barry Leiba
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? Mike Jones
- [OAUTH-WG] auth-param syntax, was: OK to post OAu… Julian Reschke
- Re: [OAUTH-WG] OK to post OAuth Bearer draft 15? Mark Nottingham
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… John Bradley
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… John Bradley
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Mike Jones
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… Julian Reschke
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills
- Re: [OAUTH-WG] auth-param syntax, was: OK to post… William Mills