Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 18 June 2012 19:46 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C0221F8646 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 12:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srkyt1J3zG1y for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 12:46:57 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 76A4121F8634 for <oauth@ietf.org>; Mon, 18 Jun 2012 12:46:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id D7768171530; Mon, 18 Jun 2012 20:46:56 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1340048816; bh=Fu+5MHJ2hfGUSQ KkCnhw+/3SnLhj+/iDAy8Y6rtzMEY=; b=foZRWLnLrsoxWwZHgCu+Dn1EMuxVzU Fe6CIi5oAPBYg2O357Zk/8NsOBJElSrqKQcMf/1Pb8c0f+1nXr9fOVSNkN02ZzO2 20PsLZZA7CnQkbDo2K/TdzzZEl3j4KolgpGYroMlp0wPKXqW7qGW4sLwm8UC0ZeX 9IJ5x852OqTPVzuSXe2Jf1oZWZl+HFHNRTo0tGYpy6yXIzbeahjZdsvxIVbj8e3k B26ui6RvlGJe4pS+psYydUwty8r4uQu/PxE0ACEQmofsTW+Pwut7pT6F1t75Hyf0 ZCKCgc6t6Z9wrmBHXMysAsyFwPJzo3zzoA0qkViB2xrhJpEIwXuTOGoQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id xYyKRect43LJ; Mon, 18 Jun 2012 20:46:56 +0100 (IST)
Received: from [10.87.48.10] (unknown [86.41.12.186]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id C6D5617152C; Mon, 18 Jun 2012 20:46:53 +0100 (IST)
Message-ID: <4FDF85AD.8040706@cs.tcd.ie>
Date: Mon, 18 Jun 2012 20:46:53 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394366558C4C@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366558C4C@TK5EX14MBXC283.redmond.corp.microsoft.com>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Pete Resnick <presnick@qualcomm.com>, Mark Nottingham <mnot@mnot.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 19:46:58 -0000
Hi Mike, As you noted this is under way. When I mailed tlr I asked for two weeks from the 13th, which co-incides with the end of the IETF LC caused by the IPR declaration, so it should be fine. Cheers, S. On 06/18/2012 07:08 PM, Mike Jones wrote: > Hi Stephen, > > Pete is holding his DISCUSS on Bearer open until the current text on the URI query parameter http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-2.3 receives W3C review. Can you try to have that review happen this week, hopefully finishing sometime next week? > > I'm cc:'ing Mark in his role as W3C liaison. > > Thanks again, > -- Mike > > -----Original Message----- > From: Pete Resnick [mailto:presnick@qualcomm.com] > Sent: Tuesday, June 12, 2012 1:40 PM > To: The IESG > Cc: oauth-chairs@tools.ietf.org; draft-ietf-oauth-v2-bearer@tools.ietf.org > Subject: Pete Resnick's Discuss on draft-ietf-oauth-v2-bearer-20: (with DISCUSS and COMMENT) > > Pete Resnick has entered the following ballot position for > draft-ietf-oauth-v2-bearer-20: Discuss > > When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Mark Nottingham's Applications Area review <http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03805.html> > identified the issue of URI query parameters in section 2.3: URI query parameters are normally locally scoped. In this document, a query parameter (access_token) is being defined as applying to all URIs. This is (relatively) novel. A few people in the HTTP community (including > Mark) have expressed concerns. (See also http://www.ietf.org/mail-archive/web/apps-discuss/current/msg04932.html > and > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg04933.html > from the apps-discuss archive.) This issue should probably be further reviewed by W3C folks. I'm holding the DISCUSS as per Stephen to make sure we get that review. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > In section 2.3, the new last paragraph starts: > > This method is included to document current use; its use is NOT > RECOMMENDED... > > NOT RECOMMENDED is not defined by 2119, and the language is redundant with the previous paragraph and potentially confusing. I suggest replacing it with simply: > > This method is included to document current use; as indicated > in the previous paragraph, the use of this method is not > recommended... > > BTW: The "SHOULD NOT unless..." in the previous paragraph is itself redundant. I think you mean "MUST NOT unless...". SHOULD NOT *means* MUST NOT unless you understand what you're doing. > > Mark Nottingham's Applications Area review <http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03805.html> > has a couple of comments that I think deserve further reply: > > * Section 1: Introduction > > The introduction explains oauth, but it doesn't fully explain the > relationship of this specification to OAuth 2.0. E.g., can it be > used independently from the rest of OAuth? Likewise, the overview > (section 1.3) seems more specific to the OAuth specification than > this document. As I read it, this mechanism could be used for ANY > bearer token, not just one generated through OAuth flows. > > If it is indeed more general, I'd recommend minimising the > discussion of OAuth, perhaps even removing it from the document > title. > > I agree that the title would be better simply as "HTTP Bearer Tokens", and then explain in the Abstract and Intro that the motivation and intended use of these Bearer Tokens is the OAuth 2.0 specification. A possibly useful side effect of this change might be that you can make OAuth 2.0 an informative (as against a normative) reference, and that these things could be reused for other purposes in the future. Not a huge deal, but I (like Mark) was unconvinced that the reference to OAuth in the title was necessary. > > * Section 3 The WWW-Authenticate Response Header Field > > The difference between a realm and a scope is not explained. Are the > functionally equivalent, just a single value vs. a list? > > Some text, and probably an example, might help explain this a bit better. > > One of his comments asked for some additional review. I don't have a personal opinion whether this is needed, but perhaps you should pursue > this: > > * General > > The draft currently doesn't mention whether Bearer is suitable for > use as a proxy authentication scheme. I suspect it *may*; it would > be worth discussing this with some proxy implementers to gauge their > interest (e.g., Squid). > > >
- [OAUTH-WG] FW: Pete Resnick's Discuss on draft-ie… Mike Jones
- Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draf… Stephen Farrell
- Re: [OAUTH-WG] FW: Pete Resnick's Discuss on draf… Mike Jones