Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Julian Reschke <> Fri, 30 December 2011 10:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9641821F8B8B for <>; Fri, 30 Dec 2011 02:26:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.382
X-Spam-Status: No, score=-103.382 tagged_above=-999 required=5 tests=[AWL=-0.783, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3ZCLyoHjBPXf for <>; Fri, 30 Dec 2011 02:26:02 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id A70E621F8B21 for <>; Fri, 30 Dec 2011 02:26:01 -0800 (PST)
Received: (qmail invoked by alias); 30 Dec 2011 10:26:00 -0000
Received: from (EHLO []) [] by (mp033) with SMTP; 30 Dec 2011 11:26:00 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18n1tcK904n3liX+fNzapcx7I+T8dKj2zmR0ZwK/3 rb10yc0ssk+b34
Message-ID: <>
Date: Fri, 30 Dec 2011 11:25:56 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones <>
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham <>, Barry Leiba <>, OAuth WG <>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Dec 2011 10:26:02 -0000

On 2011-12-29 22:18, Mike Jones wrote:
> You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in HTTPbis. Just state the names of the parameters, their syntax *after* parsing and their semantics."
> About some of Mark Nottingham's comments, Barry wrote "Let me point out that "this represents working-group consensus" is not always a valid response.  If the working group has actually considered the *issue*, that might be OK.  But if there's consensus for the chosen solution and someone brings up a *new* issue with it, that issue needs to be addressed anew."
> Relative to these two statements, I believe that I should remark at this point that your proposed semantics of only considering the syntax after potential quoting was explicitly considered earlier by the working group and rejected.  The consensus, instead, was for the present "no quoting will occur for legal inputs" semantics.

It would be helpful if you could back this statement with pointers to 
mails. As far as I can tell it's just you disagreeing with me.

Back to the facts:

a) the bearer spec defines an HTTP authentication scheme, and 
normatively refers to HTTPbis Part7 for that

b) HTTPbis recommends new scheme definitions not to have their own ABNF, 
as the header field syntax is defined by HTTPbis, not the individual scheme

c) the bearer spec defines it's own ABNF nevertheless

So the two specs are in conflict, and we should resolve the conflict one 
way or the other.

If you disagree with the recommendation in HTTPbis, then you really 
really should come over to HTTPbis WG and argue your point of view.

If you agree with it, but think that the bearer spec can't follow the 
recommendation, then it would be good to explain the reasoning 
(optimally in the spec).

If you agree with it, and think the bearer spec *could* follow it, 
then... change it, by all means.

Anyway, if this issue isn't resolved before IETF LC then it will be 
raised again at that time.

> I believe that in the New Year the chairs and area directors will need to decide how to proceed on this issue.  (The working group consensus, as I see it, is already both well-informed and clear on this point, but I understand that that's not the only consideration.)  It would be good to see the spec finished shortly.
> ...

Best regards, Julian