Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT)
Mike Jones <Michael.Jones@microsoft.com> Thu, 28 June 2012 15:43 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C0C21F85AC for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 08:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.778
X-Spam-Level:
X-Spam-Status: No, score=-3.778 tagged_above=-999 required=5 tests=[AWL=-0.179, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxPeIhGEet8F for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 08:43:56 -0700 (PDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe006.messaging.microsoft.com [213.199.154.144]) by ietfa.amsl.com (Postfix) with ESMTP id 81E3021F85A3 for <oauth@ietf.org>; Thu, 28 Jun 2012 08:43:55 -0700 (PDT)
Received: from mail59-db3-R.bigfish.com (10.3.81.254) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Jun 2012 15:42:07 +0000
Received: from mail59-db3 (localhost [127.0.0.1]) by mail59-db3-R.bigfish.com (Postfix) with ESMTP id 590961C03C9; Thu, 28 Jun 2012 15:42:07 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -31
X-BigFish: VS-31(zzbb2dI98dI9371I1454I542M1432I111aIzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail59-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail59-db3 (localhost.localdomain [127.0.0.1]) by mail59-db3 (MessageSwitch) id 1340898125505581_21102; Thu, 28 Jun 2012 15:42:05 +0000 (UTC)
Received: from DB3EHSMHS002.bigfish.com (unknown [10.3.81.240]) by mail59-db3.bigfish.com (Postfix) with ESMTP id 6F12B300091; Thu, 28 Jun 2012 15:42:05 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS002.bigfish.com (10.3.87.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Jun 2012 15:42:03 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0309.003; Thu, 28 Jun 2012 15:43:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Pete Resnick <presnick@qualcomm.com>
Thread-Topic: FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT)
Thread-Index: Ac1NfVJ2/vngAAOnQsWKq1/c+fOMkQADcmWAAe5hroA=
Date: Thu, 28 Jun 2012 15:43:41 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436656C96C@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394366558C4C@TK5EX14MBXC283.redmond.corp.microsoft.com> <4FDF85AD.8040706@cs.tcd.ie>
In-Reply-To: <4FDF85AD.8040706@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham <mnot@mnot.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2012 15:43:57 -0000
Pete, can you now please clear this DISCUSS? The W3C review period concluded yesterday and no issues have been brought to my attention. Thank you, -- Mike -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Monday, June 18, 2012 12:47 PM To: Mike Jones Cc: Pete Resnick; Mark Nottingham; oauth@ietf.org Subject: Re: FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT) Hi Mike, As you noted this is under way. When I mailed tlr I asked for two weeks from the 13th, which co-incides with the end of the IETF LC caused by the IPR declaration, so it should be fine. Cheers, S. On 06/18/2012 07:08 PM, Mike Jones wrote: > Hi Stephen, > > Pete is holding his DISCUSS on Bearer open until the current text on the URI query parameter http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-2.3 receives W3C review. Can you try to have that review happen this week, hopefully finishing sometime next week? > > I'm cc:'ing Mark in his role as W3C liaison. > > Thanks again, > -- Mike > > -----Original Message----- > From: Pete Resnick [mailto:presnick@qualcomm.com] > Sent: Tuesday, June 12, 2012 1:40 PM > To: The IESG > Cc: oauth-chairs@tools.ietf.org; > draft-ietf-oauth-v2-bearer@tools.ietf.org > Subject: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: > (with DISCUSS and COMMENT) > > Pete Resnick has entered the following ballot position for > draft-ietf-oauth-v2-bearer-20: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this introductory paragraph, however.) > > > Please refer to > http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Mark Nottingham's Applications Area review > <http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03805.ht > ml> identified the issue of URI query parameters in section 2.3: URI > query parameters are normally locally scoped. In this document, a > query parameter (access_token) is being defined as applying to all > URIs. This is (relatively) novel. A few people in the HTTP community > (including > Mark) have expressed concerns. (See also > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg04932.htm > l > and > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg04933.htm > l from the apps-discuss archive.) This issue should probably be > further reviewed by W3C folks. I'm holding the DISCUSS as per Stephen to make sure we get that review. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > In section 2.3, the new last paragraph starts: > > This method is included to document current use; its use is NOT > RECOMMENDED... > > NOT RECOMMENDED is not defined by 2119, and the language is redundant with the previous paragraph and potentially confusing. I suggest replacing it with simply: > > This method is included to document current use; as indicated > in the previous paragraph, the use of this method is not > recommended... > > BTW: The "SHOULD NOT unless..." in the previous paragraph is itself redundant. I think you mean "MUST NOT unless...". SHOULD NOT *means* MUST NOT unless you understand what you're doing. > > Mark Nottingham's Applications Area review > <http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03805.ht > ml> has a couple of comments that I think deserve further reply: > > * Section 1: Introduction > > The introduction explains oauth, but it doesn't fully explain the > relationship of this specification to OAuth 2.0. E.g., can it be > used independently from the rest of OAuth? Likewise, the overview > (section 1.3) seems more specific to the OAuth specification than > this document. As I read it, this mechanism could be used for ANY > bearer token, not just one generated through OAuth flows. > > If it is indeed more general, I'd recommend minimising the > discussion of OAuth, perhaps even removing it from the document > title. > > I agree that the title would be better simply as "HTTP Bearer Tokens", and then explain in the Abstract and Intro that the motivation and intended use of these Bearer Tokens is the OAuth 2.0 specification. A possibly useful side effect of this change might be that you can make OAuth 2.0 an informative (as against a normative) reference, and that these things could be reused for other purposes in the future. Not a huge deal, but I (like Mark) was unconvinced that the reference to OAuth in the title was necessary. > > * Section 3 The WWW-Authenticate Response Header Field > > The difference between a realm and a scope is not explained. Are the > functionally equivalent, just a single value vs. a list? > > Some text, and probably an example, might help explain this a bit better. > > One of his comments asked for some additional review. I don't have a > personal opinion whether this is needed, but perhaps you should pursue > this: > > * General > > The draft currently doesn't mention whether Bearer is suitable for > use as a proxy authentication scheme. I suspect it *may*; it would > be worth discussing this with some proxy implementers to gauge their > interest (e.g., Squid). > > >
- [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ie… Mike Jones
- Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draf… Stephen Farrell
- Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draf… Mike Jones