Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14

Julian Reschke <> Mon, 12 December 2011 17:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5598821F8BE4 for <>; Mon, 12 Dec 2011 09:41:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.861
X-Spam-Status: No, score=-104.861 tagged_above=-999 required=5 tests=[AWL=-2.262, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nuds0ZNrHP7B for <>; Mon, 12 Dec 2011 09:41:50 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 5FD5621F8BDC for <>; Mon, 12 Dec 2011 09:41:50 -0800 (PST)
Received: (qmail invoked by alias); 12 Dec 2011 17:41:48 -0000
Received: from (EHLO []) [] by (mp014) with SMTP; 12 Dec 2011 18:41:48 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/qf7BLa7/qOyUkJrBdhGH1Slwnjh+O9b0XqrjrMU AOLKqbLyAx5GbD
Message-ID: <>
Date: Mon, 12 Dec 2011 18:41:44 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Mike Jones <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham <>, "" <>
Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Dec 2011 17:41:51 -0000

On 2011-12-12 18:28, Mike Jones wrote:
> Julian, you should reread the (substantial) mailing list threads on this topic.  As an example demonstrating the consensus, I've attached a pair of messages from a thread on this topic in which several people supported the input restriction to preclude character quoting.
> For instance, in this thread Eran Hammer-Lahav wrote:  "All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever."
> You'll also find that all of these people then explicitly agreed with this restriction:
> John Bradley
> William Mills
> Phil Hunt
> Mike Jones
> I believe that there were others as well.  Therefore, it is inaccurate to characterize this consensus decision as "essentially, the two of us disagreed".


I'm not disagreeing with the decision not to allow "\" in the value. 
What I'm disagreeing with is writing the ABNF in a way that will make it 
likely for implementers to special-case OAuth parameters when they 
should not.

The syntax of WWW-Authenticate is defined by HTTP. You *can* profile 
what senders can put into OAuth-specific parameters, but profiling what 
consumers need to parse is dangerous. Don't. Just use the generic grammar.

Best regards, Julian