Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-22.txt
Julian Reschke <julian.reschke@gmx.de> Tue, 17 July 2012 17:31 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088BF21F85C4 for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 10:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.658
X-Spam-Level:
X-Spam-Status: No, score=-104.658 tagged_above=-999 required=5 tests=[AWL=-2.059, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMRTGsGkAb6K for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 10:31:43 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0D34421F85F2 for <oauth@ietf.org>; Tue, 17 Jul 2012 10:31:42 -0700 (PDT)
Received: (qmail invoked by alias); 17 Jul 2012 17:32:30 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp035) with SMTP; 17 Jul 2012 19:32:30 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+xK9ZD5T+xTwXLa3g9JqeEYzE1EXMWQ1/GDJ8cQR TUQ7wfpnMrdMeB
Message-ID: <5005A19A.9050104@gmx.de>
Date: Tue, 17 Jul 2012 19:32:10 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4F2575CE.9040001@isode.com> <4E1F6AAD24975D4BA5B16804296739436638B7AD@TK5EX14MBXC284.redmond.corp.microsoft.com> <4F27C37C.1090008@isode.com> <4F843A22.4020908@isode.com> <4F843DA1.8080703@isode.com> <500546C5.6080102@isode.com>, <50054897.3070108@cs.tcd.ie> <4E1F6AAD24975D4BA5B1680429673943667370D7@TK5EX14MBXC285.redmond.corp.microsoft.com> <50059598.3030304@gmx.de> <50059A95.7050904@isode.com> <4E1F6AAD24975D4BA5B16804296739436673743F@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436673743F@TK5EX14MBXC285.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: General Area Review Team <gen-art@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-22.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 17:31:44 -0000
On 2012-07-17 19:15, Mike Jones wrote: > For clarity of discussion, the definition in question is: > b64token = 1*( ALPHA / DIGIT / > "-" / "." / "_" / "~" / "+" / "/" ) *"=" > > Note that b64token is a liberal syntax intended to permit base64 encoded content (hence the inclusion of the "+" and "/" characters and the optional trailing "=" characters), base64url encoded content (hence the inclusion of the "-" and "_" characters) and other URL-safe productions (hence the inclusion of the "." and "~" characters). > > Its use is definitely not intended to be restricted to base64 encoded content, per RFC 4648. If it were so restricted (by not allowing ".", for instance), this would exclude the use of JWTs as bearer tokens, for instance, which is something we *definitely* want to allow. > > As a result, I don't think adding a reference to RFC 4648 is either necessary or appropriate. > > Julian may be able to provide more background. That is correct, in that the constraint on the token contents seems to be defined elsewhere. That being said, by changing the reference from HTTPbis to 2617 you broke the spec: The "Authorization" header field uses the framework defined by HTTP/1.1 [RFC2617] as follows: b64token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" credentials = "Bearer" 1*SP b64token ...because in RFC 2617, exactly that syntax is not allowed: credentials = auth-scheme #auth-param auth-param = token "=" ( token | quoted-string ) I have to say that I'm a bit surprised by that change (was there any public discussion about it?). It is probably possible to fix this without having to reference HTTPbis, but, I'm not totally sure about why you would want that. (Note that the spec can be approved before HTTPbis, it just would have to wait for RFC publication a bit longer) Best regards, Julian
- Re: [OAUTH-WG] Gen-ART review of draft-ietf-oauth… Mike Jones
- Re: [OAUTH-WG] Gen-ART review of draft-ietf-oauth… Alexey Melnikov
- Re: [OAUTH-WG] Gen-ART review of draft-ietf-oauth… Alexey Melnikov
- Re: [OAUTH-WG] Gen-ART review of draft-ietf-oauth… Stephen Farrell
- Re: [OAUTH-WG] [Gen-art] Gen-ART review of draft-… Alexey Melnikov
- [OAUTH-WG] Gen-ART Telechat review of draft-ietf-… Alexey Melnikov
- Re: [OAUTH-WG] Gen-ART Telechat review of draft-i… Justin Richer
- [OAUTH-WG] where do error codes go?, was: Gen-ART… Julian Reschke
- [OAUTH-WG] Gen-ART Telechat review of draft-ietf-… Alexey Melnikov
- Re: [OAUTH-WG] Gen-ART Telechat review of draft-i… Stephen Farrell
- Re: [OAUTH-WG] Gen-ART Telechat review of draft-i… Mike Jones
- Re: [OAUTH-WG] Gen-ART Telechat review of draft-i… Julian Reschke
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Alexey Melnikov
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Mike Jones
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Julian Reschke
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Mike Jones
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Julian Reschke
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Mike Jones
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Alexey Melnikov
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Julian Reschke
- Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review … Julian Reschke