Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-dyn-reg-27: (with COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Tue, 07 April 2015 22:09 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CAC01AC3FC; Tue, 7 Apr 2015 15:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47j3QPzhS8mH; Tue, 7 Apr 2015 15:09:24 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0785.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::785]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CDEB1AC3FB; Tue, 7 Apr 2015 15:09:24 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) with Microsoft SMTP Server (TLS) id 15.1.136.17; Tue, 7 Apr 2015 22:09:03 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0136.014; Tue, 7 Apr 2015 22:09:03 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ben Campbell <ben@nostrum.com>, Phil Hunt <phil.hunt@yahoo.com>
Thread-Topic: Ben Campbell's No Objection on draft-ietf-oauth-dyn-reg-27: (with COMMENT)
Thread-Index: AQHQcLNvziIlymLSiU21Cpn+02CTDJ1B2QkAgAAB4QCAAECyoA==
Date: Tue, 07 Apr 2015 22:09:03 +0000
Message-ID: <BY2PR03MB4429FC8FABE03426B27663EF5FD0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <20150406214830.8764.52235.idtracker@ietfa.amsl.com> <B52367E6-370F-4681-B4F5-F06C90F86959@yahoo.com> <89B75F57-55D8-4137-9F1C-9BD7C71AC855@nostrum.com>
In-Reply-To: <89B75F57-55D8-4137-9F1C-9BD7C71AC855@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: nostrum.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [64.71.18.60]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(51914003)(24454002)(13464003)(51444003)(51704005)(377454003)(106116001)(77096005)(54356999)(99286002)(62966003)(76576001)(102836002)(40100003)(50986999)(77156002)(33656002)(86362001)(122556002)(2521001)(92566002)(2900100001)(230783001)(2950100001)(46102003)(19580405001)(19580395003)(76176999)(66066001)(87936001)(74316001)(2656002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <BY2PR03MB442D621C71C22B6B545FADBF5FD0@BY2PR03MB442.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 0539EEBD11
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2015 22:09:03.3296 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/YS5DudLEymZG61WTn5tBdrqJEGo>
Cc: "draft-ietf-oauth-dyn-reg@ietf.org" <draft-ietf-oauth-dyn-reg@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>
Subject: Re: [OAUTH-WG] Ben Campbell's No Objection on draft-ietf-oauth-dyn-reg-27: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2015 22:09:26 -0000
I think that the current SHOULD is more realistic. In the real world, particularly while developing and testing, people will have many iterations of pre-release software for a given version, all of which will likely be identified with the intended version number before the final release of that version of the software is made. -- Mike -----Original Message----- From: Ben Campbell [mailto:ben@nostrum.com] Sent: Tuesday, April 07, 2015 11:11 AM To: Phil Hunt Cc: The IESG; oauth-chairs@ietf.org; draft-ietf-oauth-dyn-reg@ietf.org; Justin Richer Subject: Re: Ben Campbell's No Objection on draft-ietf-oauth-dyn-reg-27: (with COMMENT) On 7 Apr 2015, at 13:03, Phil Hunt wrote: > Section 2: >> >> The software_version "SHOULD change on any update identified with the >> same software_id" --why not MUST? What happens if this doesn't >> happen? > > > The group didn’t necessarily agree to make software_version mandatory > to provide. Thus the word, SHOULD seemed appropriate to indicate that > if used it SHOULD change from version to version. That said, I am ok > with MUST (e.g. if software_version is used, it MUST change...). > > In answer to your question what happens: this is not so much a > security issue (in the traditional sense of an attacker), but rather a > regular software versioning/maintenance issue. The idea is that some > client software updates may prove to be buggy (or have performance > issues) and service providers may want to be able to refuse some > versions of client software while accepting others (e.g. 2.5 is broken > and causes DoS issues, while 2.5.1 is acceptable). If a version is > not provided, than an AS’s only choice is to ban all versions and > force the client developer to use or obtain a different software_id > for future registrations. Thanks for the response. I can live with either a SHOULD or a MUST, but if the SHOULD stays, it would be good to add a sentence or two to the effect of the above paragraph. That being said, "If used, it MUST change" seems to be more precise if that fits the WG intent.
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Mike Jones
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Justin Richer
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Justin Richer
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Mike Jones
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Kathleen Moriarty
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Ben Campbell
- Re: [OAUTH-WG] Ben Campbell's No Objection on dra… Ben Campbell