Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
Julian Reschke <julian.reschke@gmx.de> Thu, 20 October 2011 08:05 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D0421F8C0C for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.834
X-Spam-Level:
X-Spam-Status: No, score=-103.834 tagged_above=-999 required=5 tests=[AWL=-1.235, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtrBmm0g6Emr for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:05:28 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 494FF21F8B00 for <oauth@ietf.org>; Thu, 20 Oct 2011 01:05:28 -0700 (PDT)
Received: (qmail invoked by alias); 20 Oct 2011 08:05:25 -0000
Received: from p5DCC3E45.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.62.69] by mail.gmx.net (mp052) with SMTP; 20 Oct 2011 10:05:25 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18S6187qFISv8AzbAqt61ezPCYM36GMYP5YRgcNjv J2X5CuIiq2ZGvo
Message-ID: <4E9FD642.9070100@gmx.de>
Date: Thu, 20 Oct 2011 10:05:22 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FC9FA.8030001@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CAE6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FCFA4.7050706@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 08:05:29 -0000
On 2011-10-20 09:41, Mike Jones wrote: > Your proposed wording for 2.4 misses the point: \ MUST NOT occur at all in the input string. No quoting may occur. > ... No, it doesn't miss the point. You need to tell implementers whether they can use a quoted-string processor. Those processors will accept all the values you want to support, plus values that contain "\c" (representing "c"). Is this ok, or are recipients supposed to reject these values? Furthermore, it's not clear what recipients are supposed to do with values that are not quoted, for instance for scope. The ABNF makes them illegal, but I promise you that many recipients will accept them nevertheless (unless you manage them to become draconian using a very good test suite). See <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> for a test case checking this for the realm parameter. It's already bad for many existing headers, please let's do things right with new ones. Best regards, Julian
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- [OAUTH-WG] choice of credentials syntax, was: OAu… Julian Reschke
- [OAUTH-WG] OAuth 2.0 Bearer Token Specification D… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… William Mills
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones