IETF Logo Mail Archive

Re: [OAUTH-WG] Preliminary OAuth Core draft -29

Mike Jones <Michael.Jones@microsoft.com> Mon, 09 July 2012 14:48 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8AF211E8080 for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 07:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.791
X-Spam-Level:
X-Spam-Status: No, score=-3.791 tagged_above=-999 required=5 tests=[AWL=-0.192, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWuEb4ghFEu8 for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 07:48:37 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe001.messaging.microsoft.com [216.32.180.184]) by ietfa.amsl.com (Postfix) with ESMTP id 9234A11E8072 for <oauth@ietf.org>; Mon, 9 Jul 2012 07:48:37 -0700 (PDT)
Received: from mail122-co1-R.bigfish.com (10.243.78.250) by CO1EHSOBE006.bigfish.com (10.243.66.69) with Microsoft SMTP Server id 14.1.225.23; Mon, 9 Jul 2012 14:46:46 +0000
Received: from mail122-co1 (localhost [127.0.0.1]) by mail122-co1-R.bigfish.com (Postfix) with ESMTP id 95A524401B2; Mon, 9 Jul 2012 14:46:45 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -29
X-BigFish: VS-29(zz98dI9371I936eI542M1432Izz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah107ah)
Received-SPF: pass (mail122-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail122-co1 (localhost.localdomain [127.0.0.1]) by mail122-co1 (MessageSwitch) id 134184520290731_8225; Mon, 9 Jul 2012 14:46:42 +0000 (UTC)
Received: from CO1EHSMHS007.bigfish.com (unknown [10.243.78.236]) by mail122-co1.bigfish.com (Postfix) with ESMTP id 13E31340044; Mon, 9 Jul 2012 14:46:42 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS007.bigfish.com (10.243.66.17) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 9 Jul 2012 14:46:40 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0298.005; Mon, 9 Jul 2012 14:48:56 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: [OAUTH-WG] Preliminary OAuth Core draft -29
Thread-Index: Ac1doaVzn0rH3CgzRNqCMkZEFAvQfwAONTcAAAFQgLA=
Date: Mon, 09 Jul 2012 14:48:54 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436657CE30@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436657C93A@TK5EX14MBXC283.redmond.corp.microsoft.com> <4FFAE2C8.5000109@gmx.de>
In-Reply-To: <4FFAE2C8.5000109@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Preliminary OAuth Core draft -29
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 14:48:38 -0000

HTML5 is not cited because it's a working draft - not an approved standard.  In what way is "the definition of the media type in HTML4 is known to be insufficient"?  People have been successfully implementing form-urlencoding with it for quite some time. :-)  Is there a specific wording change that you'd suggest that we make that doesn't involve citing a working draft, rather than an approved standard?

I'm not sure what aspect of https://www.ietf.org/mail-archive/web/oauth/current/msg09219.html you feel hasn't been addressed.  The restriction prohibiting colon has been removed from the ABNF, like you asked.  Using form-urlencoding when passing parameters through HTTP Basic enables a wider repertoire of characters to be used - again, something you'd asked for.

I used your example from http://greenbytes.de/tech/webdav/rfc5323.html#rfc.section.5.15.1 when wording the statement that "The ABNF below is defined in terms of Unicode code points".  That covers the topics raised in your message about the ABNF.  So I really don't understand in what way that statement fails to address your concerns.

I've done my best to intuit your intent based on your brief comments and address it, and apparently come up short in some way(s) that I can't identify from your response below.  Again, if you could propose specific wording changes, that would remove the ambiguity from your remarks and we could stop going back and forth on this.

I hope you can be on the call in ~2 hours as well.

				Thank you,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Monday, July 09, 2012 6:55 AM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Preliminary OAuth Core draft -29

On 2012-07-09 09:08, Mike Jones wrote:
> A preliminary version of OAuth core draft -29 is attached for the 
> working group's consideration and discussion on today's call.  I 
> believe that this addresses all issues that have been raised, 
> including Julian's issues about the ABNF, character sets, and form encoding.  Changes are:
>
>   * Added "MUST" to "A public client that was not issued a client
>     password MUST use the client_idrequest parameter to identify itself
>     when sending requests to the token endpoint" and added text
>     explaining why this must be so.
>   * Added that the authorization server MUST "ensure the authorization
>     code was issued to the authenticated confidential client or to the
>     public client identified by the client_idin the request".
>   * Added Security Considerations section "Misuse of Access Token to
>     Impersonate Resource Owner at Public Client".
>   * Deleted ";charset=UTF-8" from examples formerly using "Content-Type:
>     application/x-www-form-urlencoded;charset=UTF-8".
>   * Added the phrase "and a character encoding of UTF-8" when describing
>     how to send requests using the HTTP request entity-body, per Julian
>     Reschke's suggestion.

I still think that citing HTML4 here doesn't work; the definition of the media type in HTML4 is known to be insufficient. What's the reason for not citing the HTML4 working draft here?

>   * Added "The ABNF below is defined in terms of Unicode code points
>     [UNICODE5]; these characters are typically encoded in UTF-8".
>   * For symmetry when using HTTP Basic authentication, also apply the
>     application/x-www-form-urlencodedencoding to the client password,
>     just as was already done for the client identifier.

That's kind of surprising; what's the rational for this?

Also, given the complexity of x-www-form-urlencoded, I really really believe there should be examples of using it with non-ASCII characters.

Finally, the ABNF still fails to address my concerns from a few weeks
ago: <https://www.ietf.org/mail-archive/web/oauth/current/msg09219.html>

Best regards, Julian

v2.23.0 | Report a Bug | By Email