Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The

Martin Rex <mrex@sap.com> Wed, 25 January 2012 00:29 UTC

Return-Path: <mrex@sap.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5D9321F8541; Tue, 24 Jan 2012 16:29:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.142
X-Spam-Level:
X-Spam-Status: No, score=-10.142 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-3N9UoA9xT9; Tue, 24 Jan 2012 16:29:00 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 24CAD21F8540; Tue, 24 Jan 2012 16:28:59 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q0P0Swgv023555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 Jan 2012 01:28:58 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201201250028.q0P0SwiS000165@fs4113.wdf.sap.corp>
To: Michael.Jones@microsoft.com
Date: Wed, 25 Jan 2012 01:28:58 +0100
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366380094@TK5EX14MBXC284.redmond.corp.microsoft.com> from "Mike Jones" at Jan 25, 12 00:03:15 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-Mailman-Approved-At: Wed, 25 Jan 2012 05:27:14 -0800
Cc: oauth@ietf.org, ietf@ietf.org, iesg@ietf.org
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2012 00:29:01 -0000

Mike Jones wrote:
> 
> Per the discussion at
>    http://www.ietf.org/mail-archive/web/oauth/current/msg08040.html,
> the working group's rationale for supporting quoted-string but
> not token syntax for these parameters, and for requiring that
> backslash ('\') quoting not be used when producing them [...]

I'm slightly confused...

Instead of inappropriately re-specifying the WWW-Authenticate:, how about
referencing the original specification an rules, and then add
your desired requirements for *creation* of the contents on top of that,
so that oauth-bearer can permit recipients to reject stuff that doesn't fit
the additional "send-requirements" when processing the request.

I would assume that pretty much all authentication schemes will effectively
require subsetting of what can be conveyed to what they can parse,
and further subset this to what they can successfully verify, and reject
everything else -- without having to rewrite the WWW-Authenticate syntax.


-Martin