Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

Marius Scurtescu <mscurtescu@google.com> Wed, 19 October 2011 18:24 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 219FC1F0C49 for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 11:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26Jt7K31EGcr for <oauth@ietfa.amsl.com>; Wed, 19 Oct 2011 11:24:18 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 53BF11F0C6F for <oauth@ietf.org>; Wed, 19 Oct 2011 11:24:18 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [172.25.149.1]) by smtp-out.google.com with ESMTP id p9JIOH99029124 for <oauth@ietf.org>; Wed, 19 Oct 2011 11:24:17 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1319048657; bh=5J/6GDYNXOPrIdOgxzNTLwosxaE=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=Cs9jWIohntOt9+zfGSfNAAORjLvw8fnnjf4darveV+5toB1ekJ7/+6kzBQUvmOIki CMVPqYcQnTNJR2ObfuCGw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:from:date: message-id:subject:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=cwmjm6YEOfTpJCKvFpP/UnvhcI63v1nyTjTIfaCCf4+h+40bltfqjZCMJEC8bR8cN KDJXdNYF2mEXyKJhcSgaQ==
Received: from ywm39 (ywm39.prod.google.com [10.192.13.39]) by hpaq1.eem.corp.google.com with ESMTP id p9JINeM2009206 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 19 Oct 2011 11:24:16 -0700
Received: by ywm39 with SMTP id 39so2989748ywm.1 for <oauth@ietf.org>; Wed, 19 Oct 2011 11:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=HTsOi5ENShEFIgM2XGBVnd8hyP18YSI49svwtZ8VHT4=; b=XFu0t4R5JYejg51dpdEoqDuDSN+ZzRDE3KGi75aIL9YI7dqKAFbu4kOYsixwpkOAJq tNkfi5TWmyhmbmW6KqmA==
Received: by 10.100.240.2 with SMTP id n2mr1782473anh.101.1319048651369; Wed, 19 Oct 2011 11:24:11 -0700 (PDT)
Received: by 10.100.240.2 with SMTP id n2mr1782465anh.101.1319048651193; Wed, 19 Oct 2011 11:24:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.142.14 with HTTP; Wed, 19 Oct 2011 11:23:51 -0700 (PDT)
In-Reply-To: <1319048157.41134.YahooMailNeo@web31802.mail.mud.yahoo.com>
References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com> <999913AB42CC9341B05A99BBF358718DAABC44@FIESEXC035.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739435C23EA6A@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9AB561.5060904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23F5B6@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E9B1BA6.2060704@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B908A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <9E5660BC-C797-454B-B2AF-48AB3E886AC7@ve7jtb.com> <B33BFB58CCC8BE4998958016839DE27EA769@IMCMBX01.MITRE.ORG> <62D2DE5D-AEBE-4A75-9C36-7A51E63DC7C3@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E723452604B9102@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4DF35A25-989C-4BE4-8ACD-3520DDB8BDE9@gmx.net> <90C41DD21FB7C64BB94121FBBC2E723452604B9197@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E9D8414.4030107@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723452604B9314@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E9DABDA.9060306@gmx.de> <CAGdjJpJsq0iq_yS2N_tG6JoARutC+6-WzH9xfZ1LA6o_1TbpNw@mail.gmail.com> <1319048157.41134.YahooMailNeo@web31802.mail.mud.yahoo.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 19 Oct 2011 11:23:51 -0700
Message-ID: <CAGdjJpLErEVx331zo0yHBZfVL1nWzXh8AnjHY-=02DcrTJHKTQ@mail.gmail.com>
To: William Mills <wmills@yahoo-inc.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2011 18:24:19 -0000

On Wed, Oct 19, 2011 at 11:15 AM, William Mills <wmills@yahoo-inc.com> wrote:
>> Is this covering all characters allowed in a URI? Why
>> not define scopes as a list of URIs?
> I'd rather not do this because people will presume unless we add even more
> text to explain it that they need to have the form scheme://host/path or
> some such.

Which is not necessarily a bad thing. It allows systems to scale and
interoperate.

> It's an opportunity to bloat scopes far out of proportion to
> what is actually needed.
>
> ________________________________
> From: Marius Scurtescu <mscurtescu@google.com>
> To: Julian Reschke <julian.reschke@gmx.de>
> Cc: OAuth WG <oauth@ietf.org>
> Sent: Wednesday, October 19, 2011 10:23 AM
> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
> Proposed Resolutions
>
> Marius
>
>
>
> On Tue, Oct 18, 2011 at 9:39 AM, Julian Reschke <julian.reschke@gmx.de>
> wrote:
>> On 2011-10-18 17:38, Eran Hammer-Lahav wrote:
>>>
>>> Space is allowed inside a quoted string and is already not allowed inside
>>> each scope string.
>>>
>>> EHL
>>> ...
>>
>> a) yes.
>>
>> b) well:
>>
>>   The value of the scope parameter is expressed as a list of space-
>>   delimited, case sensitive strings.  The strings are defined by the
>>   authorization server.  If the value contains multiple space-delimited
>>   strings, their order does not matter, and each string adds an
>>   additional access range to the requested scope.
>>
>> That certainly implies that you can't have a space inside a token, but it
>> could be clearer.
>>
>> Optimally, state the character repertoire precisely:
>>
>>  scopetokenchar =  %x21 / %x23-5B / %x5D-7E
>>  ; HTTPbis P1 qdtext except whitespace, restricted to US-ASCII
>>
>> ?
>
> Is this covering all characters allowed in a URI? Why not define
> scopes as a list of URIs?
>
>>
>> Best regards, Julian
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>