Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10

Julian Reschke <julian.reschke@gmx.de> Thu, 20 October 2011 08:05 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D0421F8C0C for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.834
X-Spam-Level:
X-Spam-Status: No, score=-103.834 tagged_above=-999 required=5 tests=[AWL=-1.235, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtrBmm0g6Emr for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:05:28 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 494FF21F8B00 for <oauth@ietf.org>; Thu, 20 Oct 2011 01:05:28 -0700 (PDT)
Received: (qmail invoked by alias); 20 Oct 2011 08:05:25 -0000
Received: from p5DCC3E45.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.62.69] by mail.gmx.net (mp052) with SMTP; 20 Oct 2011 10:05:25 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18S6187qFISv8AzbAqt61ezPCYM36GMYP5YRgcNjv J2X5CuIiq2ZGvo
Message-ID: <4E9FD642.9070100@gmx.de>
Date: Thu, 20 Oct 2011 10:05:22 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FC9FA.8030001@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CAE6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FCFA4.7050706@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 08:05:29 -0000

On 2011-10-20 09:41, Mike Jones wrote:
> Your proposed wording for 2.4 misses the point:  \ MUST NOT occur at all in the input string.  No quoting may occur.
 > ...

No, it doesn't miss the point.

You need to tell implementers whether they can use a quoted-string 
processor. Those processors will accept all the values you want to 
support, plus values that contain "\c" (representing "c"). Is this ok, 
or are recipients supposed to reject these values?

Furthermore, it's not clear what recipients are supposed to do with 
values that are not quoted, for instance for scope. The ABNF makes them 
illegal, but I promise you that many recipients will accept them 
nevertheless (unless you manage them to become draconian using a very 
good test suite).

See <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> for a test 
case checking this for the realm parameter. It's already bad for many 
existing headers, please let's do things right with new ones.

Best regards, Julian