Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

Peter Saint-Andre <> Wed, 25 January 2012 21:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72B8121F856A; Wed, 25 Jan 2012 13:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.719
X-Spam-Status: No, score=-102.719 tagged_above=-999 required=5 tests=[AWL=-0.120, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pThOpjE565aQ; Wed, 25 Jan 2012 13:26:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9A15B21F8568; Wed, 25 Jan 2012 13:26:11 -0800 (PST)
Received: from (unknown []) (Authenticated sender: stpeter) by (Postfix) with ESMTPSA id 872D740058; Wed, 25 Jan 2012 14:35:56 -0700 (MST)
Message-ID: <>
Date: Wed, 25 Jan 2012 14:26:08 -0700
From: Peter Saint-Andre <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.3.4
OpenPGP: url=
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Julian Reschke <>, "" <>, "" <>, The IESG <>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Jan 2012 21:26:12 -0000

<hat type='TechAdvisor'/>

(see )

On 1/25/12 1:37 AM, Mike Jones wrote:
> Eran, do I then correctly understand that you've changed your mind on
> the position you took in
> which was: "All I agree with is to limit the scope character-set in
> the v2 spec to the subset of ASCII allowed in HTTP header
> quoted-string, excluding " and \ so no escaping is needed, ever."?  I
> ask this, because if I correctly understand your statement that you
> agree with Julian, you are now taking the position that you are OK
> with recipients being required to perform escape processing for the
> scope (and other) parameters and with them being required to accept
> them either as tokens or as quoted strings.
> This raises a question I'd like to ask John Bradley, William Mills,
> Phil Hunt, and Justin Richter:  Since all of you replied with a +1 to
> Eran's original statement, are you still in agreement with it, or are
> you now possibly reconsidering your position, as Eran apparently has.
> I'm asking, because your messages have been part of the basis upon
> which I've been taking the position as editor that the working group
> consensus is that no quoting may occur.  (The other reason that I
> believed, as editor, that this was a consensus position is that this
> syntax restriction has been present in every Bearer draft, as it was
> in OAuth 2.0 draft 10, which was the basis of the first Bearer
> draft.)  If that's not the actual working group consensus (or it's
> not anymore), it would be good to know that now.

Yes, input from those (and other) OAuth WG participants would be helpful.

> Finally, I'd like to respond publicly to a comment made to me in a
> private note sent to me about the current discussions.  In it, the
> sender (an IETF "old hand") observed that it could appear from the
> strength of my responses to Julian's feedback that I might be trying
> to defend a particular personal view of how these issues should be
> resolved.  I responded to him that the irony here is that I'm not
> trying to representing a personal position.  Rather, I'm truly trying
> to do what I believe an IETF editor is supposed to do, which is to
> represent the working group's positions.

And that's just what a document editor should be doing.

> I'm quite open to the working group making it clear that its position
> has changed with respect to Julian's comments and equally open to the
> working group standing behind the text in the current draft.  If the
> chairs would like to help bring this issue to successful closure, I
> would highly welcome their participation as well.

In my role as Tech Advisor, I have reviewed the discussion threads to
date. Julian has pointed out text from the specifications being worked
on in the HTTPbis WG. I concur with Julian's assessment: it would cause
interoperability issues for individual authentication schemes to
special-case the rules about parsing of challenges and credentials.

However, I think it might be acceptable (as Martin Rex suggested) for
such schemes to make recommendations about the actual data that is
conveyed, without special-casing the parsing rules as such (if the OAuth
WG wishes to go down that path, then further discussion with the HTTPbis
WG would probably be helpful so that we get the layering right and set a
good example for future schemes).

> Personally, I'd mostly just like to see the spec finished!

I think we can all agree on that. :)


Peter Saint-Andre