[OAUTH-WG] Re: [Technical Errata Reported] RFC8252 (8080)

Aaron Parecki <aaron@parecki.com> Sat, 17 August 2024 00:02 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E576C15108D for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2024 17:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-pwQjgDOyWV for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2024 17:02:54 -0700 (PDT)
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01B6BC14F70A for <oauth@ietf.org>; Fri, 16 Aug 2024 17:02:53 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id a1e0cc1a2514c-8431330e82eso79973241.3 for <oauth@ietf.org>; Fri, 16 Aug 2024 17:02:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1723852972; x=1724457772; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zi8arc/VWBtt8m2n0yHUsqVZXKHx8ACiM7PnwZFLeHw=; b=Gq3Oe8ZZg5f9HdKBHEGioLIQ1sfVKhdt7bWHygMTdbhSbcKAqaPfHxNvgUKgUxOERF O7FVtvzY+2+ifMh8Enrbbxv4lWtRsqDvIqLQDl3ajyHYEor8QkmLBQKZu3XtAY1wQ80t KRLz22hViUMIO38h4mgFOmtsssKkhGegZX9/fUIQ6VeBPTNW2SwcPY6V8kmsh5fyeizO EKswtz658UeL2qDXr67XECYsMOvlEh4kr8/t6xVhITev67+OOpIBNu+IOTpieOlj+GUx 5ADqwpGspTK8210gCpk8nV/Ty8UZXGbW9BRKpxIMUIZ5tBASvLrPOAxPRCDsOfknvUIv y/MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723852972; x=1724457772; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zi8arc/VWBtt8m2n0yHUsqVZXKHx8ACiM7PnwZFLeHw=; b=Pn2nnTd3sHqHU+VnFUgyJwEMkxwYs6vmBJx/3beReRs1Rs/BcY1ZPZra4CPhXzw+0L af6hsSlvGTdr405IjMDL0533NnX2qonIMg49vvzorYqomA4nzPw0P1wqThEKHHKFqAcb 5rJMiutG12QxrVKUV1cws/XAc1gb8jcAtHGoh+1gVYi0tFn0/ftaJNaPOtDVZH+UzVi4 RUBpq5dYj01MY4r2smDT9L3Apf3re2PXCnbAULH3SQwR2nY68BeQ3uUQHH/btVpTp9tp n06ovlJ+CpJPvS2/cRXUinSK1zqasH9wut7j1FjGH7AIsrezzIzjTlHthKZRDsrGK1hn MsWQ==
X-Forwarded-Encrypted: i=1; AJvYcCWHLreSsAz5Rzv6s7lcEYSUtFZQp+dD5MC/oYhUMdh8HJrTCAPSZo+3Pvtc+6H7dWz9XyttrM765iSP02c2Og==
X-Gm-Message-State: AOJu0Ywt34rDiNcQ/8wxEbEjIiu3FBvq6JuN2/EtcY+y71TvRywO0X6X BH8KGE75G8UKa7gAB330sxKtS5AAvGCqS3a7oYAmFrNySGlUTVFCytp0yTgQ2YJ4jagn/4QwQTX 6ow==
X-Google-Smtp-Source: AGHT+IE53sSjoaihS9oTR55Hy/eDS2ZnszcLSELgmk6bNY5Kz546maxVy7hyGf5ve/WB0Xm8pPDF3w==
X-Received: by 2002:a05:6122:17a3:b0:4f6:b18e:26e4 with SMTP id 71dfb90a1353d-4fc6cb22c20mr6048084e0c.10.1723852971947; Fri, 16 Aug 2024 17:02:51 -0700 (PDT)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com. [209.85.217.43]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-4fc5b8c649bsm516739e0c.1.2024.08.16.17.02.51 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Aug 2024 17:02:51 -0700 (PDT)
Received: by mail-vs1-f43.google.com with SMTP id ada2fe7eead31-49288fafca9so956678137.3 for <oauth@ietf.org>; Fri, 16 Aug 2024 17:02:51 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCXBdaKCtUnZDqDPxRp143r/jFobQuEdPFvRUuUNpjREiFl8rIJwTeHC7VFDe1v+WSWeC28UBDxzIxtq9Lmniw==
X-Received: by 2002:a05:6102:c4f:b0:497:6bb5:39ab with SMTP id ada2fe7eead31-497799a5915mr5599068137.27.1723852970972; Fri, 16 Aug 2024 17:02:50 -0700 (PDT)
MIME-Version: 1.0
References: <20240816235803.C39593B874@rfcpa.rfc-editor.org>
In-Reply-To: <20240816235803.C39593B874@rfcpa.rfc-editor.org>
From: Aaron Parecki <aaron@parecki.com>
Date: Fri, 16 Aug 2024 17:02:39 -0700
X-Gmail-Original-Message-ID: <CAGBSGjpty7mt3DpKLrLRxBthWHFCYE8-RQkQp4rTrUHr4NFa4g@mail.gmail.com>
Message-ID: <CAGBSGjpty7mt3DpKLrLRxBthWHFCYE8-RQkQp4rTrUHr4NFa4g@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000fae65a061fd5cb4e"
Message-ID-Hash: OEDDX7ZDSBVRMVVJEKRLEAJLJ7N4TYMC
X-Message-ID-Hash: OEDDX7ZDSBVRMVVJEKRLEAJLJ7N4TYMC
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: rfc8252@wdenniss.com, rfc8252@ve7jtb.com, paul.wouters@aiven.io, bryce.m.thomas@gmail.com, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [Technical Errata Reported] RFC8252 (8080)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aGiGzKzw_1vrAxQxbwnujkxKnac>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I believe this errata should be rejected.

Section 7.1 is one of the three options listed in section 7: private URI
scheme, claimed-https URLs, and loopback. The text in question is
describing the requirement for the private URI scheme option. If the app is
using private URI schemes, then it is correct that the private URI scheme
MUST have the requirements listed.

Aaron


On Fri, Aug 16, 2024 at 4:58 PM RFC Errata System <rfc-editor@rfc-editor.org>
wrote:

> The following errata report has been submitted for RFC8252,
> "OAuth 2.0 for Native Apps".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid8080
>
> --------------------------------------
> Type: Technical
> Reported by: Bryce Thomas <bryce.m.thomas@gmail.com>
>
> Section: 6 and 7.1
>
> Original Text
> -------------
> > Any redirect URI that allows
>    the app to receive the URI and inspect its parameters is viable.
>
> and
>
> > When choosing a URI scheme to associate with the app, apps MUST use a
>    URI scheme based on a domain name under their control, expressed in
>    reverse order, as recommended by Section 3.8 of [RFC7595] for
>    private-use URI schemes.
>
> These two statements appear to conflict.
>
> Corrected Text
> --------------
> > Any redirect URI that allows
>    the app to receive the URI and inspect its parameters is viable.
>
> and
>
> > When choosing a URI scheme to associate with the app, apps SHOULD use a
>    URI scheme based on a domain name under their control, expressed in
>    reverse order, as recommended by Section 3.8 of [RFC7595] for
>
> Notes
> -----
> Suggest downgrading the section 7.1 text from MUST to SHOULD to resolve
> the conflict.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC8252 (draft-ietf-oauth-native-apps-12)
> --------------------------------------
> Title               : OAuth 2.0 for Native Apps
> Publication Date    : October 2017
> Author(s)           : W. Denniss, J. Bradley
> Category            : BEST CURRENT PRACTICE
> Source              : Web Authorization Protocol
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>