Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
Justin Richer <jricher@MIT.EDU> Tue, 23 June 2015 00:52 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0381B311D; Mon, 22 Jun 2015 17:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVGxr5jsjkdQ; Mon, 22 Jun 2015 17:52:13 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 183531B3135; Mon, 22 Jun 2015 17:52:07 -0700 (PDT)
X-AuditID: 1209190e-f79c76d000002631-1e-5588adb5f40f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id A3.3B.09777.5BDA8855; Mon, 22 Jun 2015 20:52:05 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t5N0q4Mj009685; Mon, 22 Jun 2015 20:52:04 -0400
Received: from macbook-pro.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t5N0pFIF003545 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 22 Jun 2015 20:52:03 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_8FAFA636-A128-4336-8ED7-1B32C4D8644C"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <CALaySJ+PvgOJHCssMH49AZ286fLhbYx10vBE1Z+dw1Qnn89=pQ@mail.gmail.com>
Date: Mon, 22 Jun 2015 20:51:55 -0400
Message-Id: <6B0C7F15-7DD0-4CCE-A3F1-E76007314B02@mit.edu>
References: <20150608123617.6617.42932.idtracker@ietfa.amsl.com> <A62D61C9-C6A0-4988-B7DC-73B39F69FCD5@mit.edu> <CALaySJ+XpvcnStdK3JC_3j9ztQVaRVc0OK=hTOQB2eO06C_XZg@mail.gmail.com> <AE7633AA-BC8A-4E16-B434-9B17D897AB82@mit.edu> <CALaySJ+PvgOJHCssMH49AZ286fLhbYx10vBE1Z+dw1Qnn89=pQ@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJKsWRmVeSWpSXmKPExsUixG6nrrt1bUeowZm/5haHFl9itTi76Ta7 xYrl5RYvFu9ktpjxZyKzxe25K9ksTr59xebA7tGyqpfZY8mSn0wBTFFcNimpOZllqUX6dglc GZ1th1gKtmhWXLu8hqWB8bhyFyMnh4SAicSeRf9ZIGwxiQv31rN1MXJxCAksZpLYvXYlM4Sz kVFifdNbRgjnMZPEw2UvwVqYBRIkfqz5yQpi8wroSTx6+pgdxBYWSJc4/vAtG4jNJqAqMX/l LaYuRg4OToFAiRcreUHCLEDhI/NeMIHMZBb4xSjRvPMrE8QcK4mm3kNMEMtWMEmcP7MMbJmI gKbE889TwAZJCMhKfN0qN4FRYBaSM2YhOQMiri2xbOFrZghbU2J/93IWTHENic5vE1kXMLKt YpRNya3SzU3MzClOTdYtTk7My0st0jXWy80s0UtNKd3ECIoRTkm+HYxfDyodYhTgYFTi4S2Y 3BEqxJpYVlyZe4hRkoNJSZR3TQNQiC8pP6UyI7E4I76oNCe1+BCjBAezkgjv1DlAOd6UxMqq 1KJ8mJQ0B4uSOO+mH3whQgLpiSWp2ampBalFMFkZDg4lCd62NUCNgkWp6akVaZk5JQhpJg5O kOE8QMNPgtTwFhck5hZnpkPkTzEqSonzrgdJCIAkMkrz4HphKewVozjQK8K8D0CqeIDpD677 FdBgJqDBX3LbQAaXJCKkpBoYI48/8cqUUXrN4bXGrDDhe7zKbXuZ5LM5e9t8ObebqrQ3eM0u Ed7344GuyHIjH0vldQLLJqk+trH9W+DeFvdUQMtgg3XhxSxztTkfPbeJ26de0WheuokrqVOH jencEUlrVe83BWszshP2P16w5oCLtkHqoeW5GuvMly5PWSz0Jfynm8WiLGYlluKMREMt5qLi RADv76udPAMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fI9Wwwq_jk8oyBDX7QUZZIlrilI>
Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, oauth-chairs@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, The IESG <iesg@ietf.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-introspection-09: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 00:52:18 -0000
Barry, I’ve uploaded a new draft that should address your comments below: Draft: https://tools.ietf.org/html/draft-ietf-oauth-introspection-10 <https://tools.ietf.org/html/draft-ietf-oauth-introspection-10> Diff: https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-10.txt <https://tools.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-10.txt> Hopefully this will be sufficient to clear the DISCUSS. Please let me know if you have any further questions, — Justin > On Jun 11, 2015, at 5:32 PM, Barry Leiba <barryleiba@computer.org> wrote: > >>> 1. Why is GET an optimization? It has privacy disadvantages, and I >>> don't see any advantages. >>> >>> 2. This "tight coupling" thing is something that I think weakens the >>> interoperability of the OAuth protocol in general, and I've never >>> liked it. In this case, in particular, I don't see any advantage to >>> it, and I don't understand why it's useful to have an option that only >>> works if you have inside knowledge, for no benefit. >>> >>> Why is it ever good to have clients that only work with certain >>> servers, when it's just as easy to make sure that all clients work >>> with all servers? >> >> I can see your point here, and others have raised it as well. Part of >> the reason the GET option is there is that most (if not all) of the >> existing implementations of this protocol enable it anyway. Having >> thought about this a bit, I would be fine with simply saying that POST >> is required and remaining silent on other methods in the main section. >> We can keep the warnings against also allowing GET in the security >> considerations. Will that work? > > That will be of great excellence all 'round. Thanks! > > Barry
- [OAUTH-WG] Barry Leiba's No Objection on draft-ie… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Kathleen Moriarty
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Justin Richer