[OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABNF nits
"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 27 October 2011 23:31 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C9621F869E for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2011 16:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.177
X-Spam-Level:
X-Spam-Status: No, score=-2.177 tagged_above=-999 required=5 tests=[AWL=-1.276, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5ZEaDqQi5xF for <oauth@ietfa.amsl.com>; Thu, 27 Oct 2011 16:31:03 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id 6619821F8696 for <oauth@ietf.org>; Thu, 27 Oct 2011 16:31:03 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.69,415,1315144800"; d="scan'208";a="50075321"
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipobni.tcif.telstra.com.au with ESMTP; 28 Oct 2011 10:31:00 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6512"; a="40968704"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcbni.tcif.telstra.com.au with ESMTP; 28 Oct 2011 10:31:01 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Fri, 28 Oct 2011 10:31:00 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Fri, 28 Oct 2011 10:30:59 +1100
Thread-Topic: draft-ietf-oauth-v2-bearer-12: ABNF nits
Thread-Index: AcyU653GUF8nQMxSTqWkL0JYJmCbawADmclw
Message-ID: <255B9BB34FB7D647A506DC292726F6E11290D1BC70@WSMSG3153V.srv.dir.telstra.com>
References: <20111027210029.27578.27106.idtracker@ietfa.amsl.com>
In-Reply-To: <20111027210029.27578.27106.idtracker@ietfa.amsl.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABNF nits
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2011 23:31:04 -0000
The <error-desc> value should just be <quoted-string>. The current ABNF implies you can include raw (unescaped) " and \ characters in the value (as they are chars in <VCHAR>) - but that breaks parsing. If the intention was not to allow senders to use escapes then <error-desc-char> needs to be <%x20-%x21 / %x23-5B / %x5D-7E>. If that is the intention why not disallow escapes from <error> as well? Section 3 "The WWW-Authenticate Response Header Field" OLD: error-desc = "error_description" "=" DQUOTE *error-desc-char DQUOTE error-desc-char = SP / VCHAR NEW: error-desc = "error_description" "=" quoted-string The note about being allowed to parse <scope> with a quoted-string parser should also apply to <error-desc> and <error-uri> as well. Perhaps a better approach is to: defined <scope>, <error>, <error-desc>, and <error-uri> values as <quoted-string>; add text saying senders MUST NOT use quoted-string's escape mechanism (so " and \ cannot appear in the values), though receivers MAY use a standard quoted-string parser; say the <error-uri> value must match <URI-reference>; say the <scope> value is a list of space-delimited, case sensitive strings. NEW: scope = "scope" "=" quoted-string error = "error" "=" quoted-string error-desc = "error_description" "=" quoted-string error-uri = "error_uri" "=" quoted-string Senders MUST NOT use the quoted-string escape mechanism for "scope", "error", "error_description", or "error_uri" values. That is, those values cannot include " or \. Receivers MAY use a standard quoted-string parser, and hence accept some values that are not allowed to be sent. An "error_uri" value MUST match the URI-reference rule from [RFC3986]. The "scope" value is a list of space-delimited, case sensitive strings. ... P.S. trivial typo: "URI-Reference" should be "URI-reference" in §1.1. -- James Manger
- [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer… internet-drafts
- [OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABNF ni… Manger, James H
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABN… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABN… Julian Reschke