IETF Logo Mail Archive

[OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header

Brian Campbell <bcampbell@pingidentity.com> Tue, 08 July 2025 12:13 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CF4E6414196E for <oauth@mail2.ietf.org>; Tue, 8 Jul 2025 05:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VC5lyuo0kt5j for <oauth@mail2.ietf.org>; Tue, 8 Jul 2025 05:13:51 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2647C4141963 for <oauth@ietf.org>; Tue, 8 Jul 2025 05:13:51 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-6fafdd322d3so53390326d6.3 for <oauth@ietf.org>; Tue, 08 Jul 2025 05:13:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1751976830; x=1752581630; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/2Np1mRfsrW00yegGC/N66uQOq4DpCxIvxqLOhPIsfA=; b=KP56F9Hghj3hQRwS085ogbgXoo0/2FCZnnliwMPHRRSo0CujfetDl7mFbCIl0S0N8D YybhHYBO6LCFMNtaJ3g77Va4QGzny1o460yldMBQv32KgomkGcJJmNvArkeNfsa/rX5s H0zyQYNnmT8ihTBOq8XgqmU3vSnLfG+9PJgbb2D4noRhzQ+t/SK+Bn6jffC2kVqUdhxH DieVPSv2UMfUJj9MXTSX5uPUwM+FMCMubSmkN8qEcOPdUyJlSLva5lgfoMArpK0Xs65z xqom9CliTeE6v22z/mP6J8hdVcdVJMIuYnPSEumHukxCY0QlHRtOHuW8oWeMjXpkAza4 PQEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751976830; x=1752581630; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/2Np1mRfsrW00yegGC/N66uQOq4DpCxIvxqLOhPIsfA=; b=ek2htu5Bk2+RLFBSKw6Q7/21fAOju7NaxvpKaZD7HhGFy+u7H92OF5Ue77WwezcqMu L3pXt20WYakWtvCNV4qeBut6lPr5X7rwN909J87JA61FPwtakFJtmuHl2DHOSx36zN2d s1zvhMWC5x79JdG09GWaaxpAi8OkcxvzydUVp0y4J3DISQbBSOf/UxroFJT/WW8KDGLG Jmk4ZdbUytpAFbunmaMFUdwxPs9eWuwGwS7Iw+eIaXJk5m1TWvqgGfzSZTiQY5OcBSPF wjqbAsGE3TUhmjfEMcfK15wX6yYKcmeBOmJdRYhxguSHUeL0bw1DrIAXPKNxc+pEOjvR yxZA==
X-Forwarded-Encrypted: i=1; AJvYcCWRcTP+6RRBjQYZdIdBeuMlemCPJwpesax1jziydMHwkKuv58PNqSImx05UAN4om2V824piZg==@ietf.org
X-Gm-Message-State: AOJu0Yw+LmHlorWNK3rCBydrkCJomTL/b6+/1hC5bzQluo0HGzuDYA5r 74OCUZTk9WLVJK+mycOQThdOCDE6Tt1szh3KTnjjWy6Msp1BSqCff0wKYrUYGCOxGV4mbYY/XLS leppfruhdEboqnYn2UqW3GhSDMt1mukjgQCkhhShBrVJXsdg/rmqkBSedzhWwsqE1PT6KnXjOyz 15sKOja2s895xLAU9+LGNlFEMI7h31Kw==
X-Gm-Gg: ASbGncv6pP3Jf06MClCfApg/4eHnHD+dozZ8fH/xUmqab1gOTNBB5+/eu/GTCDltVk/ IpCaIXFvKwub3YOsj8/iol+09djanQHAUzyM08joJxF7vRBeCW7ntKZu45P+z3U+lmneEKybv9a s+eBeEZXQ6aeXKZKMaJ16cPAz5GkA7apT/54CE5GuS0+h9VThZ8FrKlQDwZ47dTws2b8QIflZtL 3g=
X-Google-Smtp-Source: AGHT+IE1DcpFLGOL9dyVpvnzPHm6YROQHCZntLX7K8wTRotZmYssrRhmvlxAs708zyfKJ2h6Lu+cbqjTs0PlX7Ni7Vc=
X-Received: by 2002:ad4:5c6c:0:b0:701:78e:333 with SMTP id 6a1803df08f44-702c8bcf0d8mr237860356d6.34.1751976830504; Tue, 08 Jul 2025 05:13:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-siXCTGFKakq6cOKPuPUnpJPszyzii18dhyVFUr_Z_UwQ@mail.gmail.com> <e083515e-4aae-495d-ab66-cef2d6774bb0@gmail.com> <CAD9ie-v3-vLDMMbGUL9+a9YR1Fb-kQ=4fbM258+TjgdKnS5kHg@mail.gmail.com> <CAEayHEMHvOm18K7nNGoUOFXkLNry7p=ZsS_+OR5KV9jJJhoV=g@mail.gmail.com> <CAD9ie-tOQfNigkGkePH=aKLjEv88fpwFJokQArjqXzXbxTezrw@mail.gmail.com> <CAJot-L2VVcg=OaPueG6+zOnDMeBDrK-VK2xcxfYC2FvoW_73ww@mail.gmail.com> <CAD9ie-umxyVb2TLjj=freAi+Ho_M4Subp_QtXjnANGwRYKVYzQ@mail.gmail.com> <CAJot-L0wwi5PRKY4KvDauK5fWcTWaTwmrwUxmrqAnRXVCRAb-w@mail.gmail.com>
In-Reply-To: <CAJot-L0wwi5PRKY4KvDauK5fWcTWaTwmrwUxmrqAnRXVCRAb-w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 08 Jul 2025 06:13:23 -0600
X-Gm-Features: Ac12FXxiDVgdVX7_9xYqk8ug1_o2pyBK69wk9dHtKMAVv_a3eMZVMi3BIyt56g8
Message-ID: <CA+k3eCThiLp_N6gCpGsUXa2cjb96NbEsB0FvtmPgqi7dGdPSPQ@mail.gmail.com>
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a349d0063969e4ae"
Message-ID-Hash: OOGYG5ZIKAZAQONT5XPMYYVY73C2JTJC
X-Message-ID-Hash: OOGYG5ZIKAZAQONT5XPMYYVY73C2JTJC
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dick.Hardt@gmail.com, John Kemp <stable.pseudonym@gmail.com>, oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kreVozZrpmcq5jdWorqvhtbHTSM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On Sun, Jul 6, 2025 at 12:57 PM Warren Parad <wparad=
40rhosys.ch@dmarc.ietf.org> wrote:

> Sure, but Postel's Law is actually harmful. And the "volume of LLM code"
> isn't the relevant metric, but rather "What the future of generated LLM
> code will look like". That is what is being generated at the moment, I
> don't find relevant either, but rather what will be generated in the
> future, and the implications of that. So we should be thoughtful about the
> impact of the spec we write rather than seek to have the spec match only
> what was a past reality. So, I generally recommend disregarding "Postal's
> Law" as a long term strategy. This draft I find to be quite insightful on
> the topic:
> https://www.ietf.org/archive/id/draft-iab-protocol-maintenance-05.html
>

FWIW that draft would become RFC 9413
<https://datatracker.ietf.org/doc/rfc9413/>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.46.0 | Report a Bug | By Email | System Status