IETF Logo Mail Archive

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

Mike Jones <Michael.Jones@microsoft.com> Wed, 25 January 2012 01:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077C221F8603; Tue, 24 Jan 2012 17:03:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.775
X-Spam-Level:
X-Spam-Status: No, score=-3.775 tagged_above=-999 required=5 tests=[AWL=-0.176, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4pzhbQXw20Y; Tue, 24 Jan 2012 17:03:45 -0800 (PST)
Received: from DB3EHSOBE002.bigfish.com (db3ehsobe002.messaging.microsoft.com [213.199.154.140]) by ietfa.amsl.com (Postfix) with ESMTP id 49B5F21F85EF; Tue, 24 Jan 2012 17:03:38 -0800 (PST)
Received: from mail64-db3-R.bigfish.com (10.3.81.246) by DB3EHSOBE002.bigfish.com (10.3.84.22) with Microsoft SMTP Server id 14.1.225.23; Wed, 25 Jan 2012 01:03:37 +0000
Received: from mail64-db3 (localhost [127.0.0.1]) by mail64-db3-R.bigfish.com (Postfix) with ESMTP id 19587202D6; Wed, 25 Jan 2012 01:03:37 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I936eK542M1432N98dKzz1202hzz1033IL8275dhz2fhc1bhc31hc1ah2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail64-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail64-db3 (localhost.localdomain [127.0.0.1]) by mail64-db3 (MessageSwitch) id 1327453415813637_4689; Wed, 25 Jan 2012 01:03:35 +0000 (UTC)
Received: from DB3EHSMHS019.bigfish.com (unknown [10.3.81.253]) by mail64-db3.bigfish.com (Postfix) with ESMTP id C29874C0046; Wed, 25 Jan 2012 01:03:35 +0000 (UTC)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS019.bigfish.com (10.3.87.119) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 25 Jan 2012 01:03:35 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.12]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0247.005; Tue, 24 Jan 2012 17:03:33 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
Thread-Index: Acza9LphO1mPc9gpRTC5FQtXgyb9wgARUdSAABClghA=
Date: Wed, 25 Jan 2012 01:03:32 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436638022F@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394366380094@TK5EX14MBXC284.redmond.corp.microsoft.com> <4F1F4A7B.9090408@gmx.de>
In-Reply-To: <4F1F4A7B.9090408@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2012 01:03:52 -0000

Typically "interoperability" is only meaningfully defined over legal inputs to a protocol.  There is no expectation of interoperability when values outside those specified as being legal by a protocol are used.

The case you cite below of implementations that "accept invalid field instances" is then, almost by definition, not an interoperability problem, as what you're concerned about is the behavior of implementations when sent illegal inputs - not the behavior of implementations when producing and consuming legal protocol values.

I believe that that's the key distinction that is causing you to look at this issue differently than much of the working group.

				Cheers,
				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Tuesday, January 24, 2012 4:19 PM
To: Mike Jones
Cc: ietf@ietf.org; The IESG; oauth@ietf.org
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

On 2012-01-25 01:03, Mike Jones wrote:
> Per the discussion at http://www.ietf.org/mail-archive/web/oauth/current/msg08040.html, the working group's rationale for supporting quoted-string but not token syntax for these parameters, and for requiring that backslash ('\') quoting not be used when producing them is as follows:
>
> "Once again, the current text reflects a consensus decision of the working group.  It was viewed that requiring support for multiple ways of doing the same thing unnecessarily complicated implementations without any compensating benefit; better to support one syntax for each semantic operation and require all implementations to use it."

Mike, you continue to ignore that WWW-Authenticate needs to be processed by generic parsers, as a single instance can contain challenges for different schemes.

If you disagree with the text below:

    o  The parsing of challenges and credentials is defined by this
       specification, and cannot be modified by new authentication
       schemes.  When the auth-param syntax is used, all parameters ought
       to support both token and quoted-string syntax, and syntactical
       constraints ought to be defined on the field value after parsing
       (i.e., quoted-string processing).  This is necessary so that
       recipients can use a generic parser that applies to all
       authentication schemes.

(which is from the text defining the registry you are using), then please come over to the HTTPbis WG and ask for a change. It's work-in-progress.

> Despite Julian's remarks below, the syntax in the Bearer spec *is* compatible with standard parameter parsers, and so no interoperability problems are created by restricting the parameter syntax to a subset of the syntax allowed by HTTPbis.  No non-standard code is needed to use parameters in the manner described in the Bearer spec.

That is not true. Using standard components will cause recipients to accept invalid field instances, which *is* an interoperability problem.

This has happened before: RFC 2617 states that the realm parameter needs to be quoted, but we see that all browsers accept the token form as well (<http://greenbytes.de/tech/tc/httpauth/#simplebasictok>). That's not a surprise because it's the natural thing to do with a generic parser.

Please don't add to the mess. In particular when there really is no reason to do so. All I heard from you is: "we prefer it that way". I'm sorry, but that's not sufficient.

> ...

Best regards, Julian

v2.23.0 | Report a Bug | By Email