Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
Mike Jones <Michael.Jones@microsoft.com> Mon, 19 December 2011 01:01 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8806821F8B28 for <oauth@ietfa.amsl.com>; Sun, 18 Dec 2011 17:01:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8iqWhofGAR0j for <oauth@ietfa.amsl.com>; Sun, 18 Dec 2011 17:01:11 -0800 (PST)
Received: from AM1EHSOBE002.bigfish.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id B30EA21F8B23 for <oauth@ietf.org>; Sun, 18 Dec 2011 17:01:10 -0800 (PST)
Received: from mail62-am1-R.bigfish.com (10.3.201.247) by AM1EHSOBE002.bigfish.com (10.3.204.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 19 Dec 2011 01:01:04 +0000
Received: from mail62-am1 (localhost [127.0.0.1]) by mail62-am1-R.bigfish.com (Postfix) with ESMTP id BD9211C00D0; Mon, 19 Dec 2011 01:01:22 +0000 (UTC)
X-SpamScore: -43
X-BigFish: VS-43(zz9371I936eK542M1432N1418M98dKzz1202hzz1033IL8275dhz2fh2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail62-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail62-am1 (localhost.localdomain [127.0.0.1]) by mail62-am1 (MessageSwitch) id 1324256482592092_30403; Mon, 19 Dec 2011 01:01:22 +0000 (UTC)
Received: from AM1EHSMHS010.bigfish.com (unknown [10.3.201.248]) by mail62-am1.bigfish.com (Postfix) with ESMTP id 8D2334C0043; Mon, 19 Dec 2011 01:01:22 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS010.bigfish.com (10.3.207.110) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 19 Dec 2011 01:01:04 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.84]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0247.005; Sun, 18 Dec 2011 17:01:07 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
Thread-Index: Acy47iNp13oTBlqgSku13D4DVT123QARXncAABBmrxD//4ZMAP/2vuaA
Date: Mon, 19 Dec 2011 01:01:07 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F773D24@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F75F103@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE634DE.4000902@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F75F275@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE63CD8.60704@gmx.de>
In-Reply-To: <4EE63CD8.60704@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Mark Nottingham <mnot@mnot.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 01:01:12 -0000
Hi Julian,
I'm glad to hear that you're not disagreeing with the decision to disallow '\' in certain parameter values. I think that knowing that brings us much closer to resolution on this issue.
I'm puzzled by your statement "What I'm disagreeing with is writing the ABNF in a way that will make it likely for implementers to special-case OAuth parameters when they should not", however. At your suggestion, we changed the ABNF to use the standard HTTPbis quoted-string element (and to stop using a special-case ABNFs for these parameters). Indeed, in this way, the current definition makes it clear that no special-case parameter processing is needed (unlike the previous definitions).
Likewise, I'm puzzled by this related statement of yours: "The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what senders can put into OAuth-specific parameters, but profiling what consumers need to parse is dangerous. Don't. Just use the generic grammar." The reason this puzzles me is that I can find no text in the draft profiling what consumers need to parse. And indeed, the spec *does* use the generic grammar. The only statements restricting the contents of these fields profile what *producers* may put in them. These statements are:
"Producers of scope strings MUST NOT use characters outside the set %x21 / %x23-5B / %x5D-7E for representing the scope values and %x20 for the delimiter. Producers of error and error_description strings MUST NOT use characters outside the set %x20-21 / %x23-5B / %x5D-7E for representing these values. Producers of error-uri strings MUST NOT use characters outside the set %x21 / %x23-5B / %x5D-7E for representing these values. Furthermore, error-uri strings MUST conform to the URI-Reference syntax. In all these cases, no character quoting will occur, as senders are prohibited from using the %5C ('\') character."
I'm guessing that you're objecting to the last sentence above about no character quoting occurring. As I see it, that sentence in no way profiles what consumers need to parse; it is making an observation that directly follows from the restrictions upon producers made in the other sentences of the paragraph.
If that is the text that you are objecting to, I can see two potential resolutions to this issue:
1. Remove the sentence making the observation that no character quoting will occur. This would be less clear for developers but doing so would not change the meaning of the specification.
2. Leave the specification as-is. Since the specification *is* now using the generic grammar (the quoted-string ABNF element), I'm hoping that you will respond agreeing that no problem remains, thus closing this issue.
If you still disagree with (2), Julian, then I'd like to hear working group opinions on which of these potential resolutions members support.
Thanks all,
-- Mike
-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de]
Sent: Monday, December 12, 2011 9:42 AM
To: Mike Jones
Cc: Mark Nottingham; Stephen Farrell; oauth@ietf.org
Subject: Re: [OAUTH-WG] FW: [apps-discuss] APPS Area review of draft-ietf-oauth-v2-bearer-14
On 2011-12-12 18:28, Mike Jones wrote:
> Julian, you should reread the (substantial) mailing list threads on this topic. As an example demonstrating the consensus, I've attached a pair of messages from a thread on this topic in which several people supported the input restriction to preclude character quoting.
>
> For instance, in this thread Eran Hammer-Lahav wrote: "All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever."
>
> You'll also find that all of these people then explicitly agreed with this restriction:
> John Bradley
> William Mills
> Phil Hunt
> Mike Jones
>
> I believe that there were others as well. Therefore, it is inaccurate to characterize this consensus decision as "essentially, the two of us disagreed".
Mike,
I'm not disagreeing with the decision not to allow "\" in the value.
What I'm disagreeing with is writing the ABNF in a way that will make it likely for implementers to special-case OAuth parameters when they should not.
The syntax of WWW-Authenticate is defined by HTTP. You *can* profile what senders can put into OAuth-specific parameters, but profiling what consumers need to parse is dangerous. Don't. Just use the generic grammar.
Best regards, Julian
- [OAUTH-WG] FW: [apps-discuss] APPS Area review of… Eran Hammer-Lahav
- [OAUTH-WG] FW: [apps-discuss] APPS Area review of… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Mike Jones
- Re: [OAUTH-WG] FW: [apps-discuss] APPS Area revie… Julian Reschke