Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-22.txt

Julian Reschke <julian.reschke@gmx.de> Tue, 17 July 2012 17:31 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088BF21F85C4 for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 10:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.658
X-Spam-Level:
X-Spam-Status: No, score=-104.658 tagged_above=-999 required=5 tests=[AWL=-2.059, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMRTGsGkAb6K for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 10:31:43 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0D34421F85F2 for <oauth@ietf.org>; Tue, 17 Jul 2012 10:31:42 -0700 (PDT)
Received: (qmail invoked by alias); 17 Jul 2012 17:32:30 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp035) with SMTP; 17 Jul 2012 19:32:30 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+xK9ZD5T+xTwXLa3g9JqeEYzE1EXMWQ1/GDJ8cQR TUQ7wfpnMrdMeB
Message-ID: <5005A19A.9050104@gmx.de>
Date: Tue, 17 Jul 2012 19:32:10 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4F2575CE.9040001@isode.com> <4E1F6AAD24975D4BA5B16804296739436638B7AD@TK5EX14MBXC284.redmond.corp.microsoft.com> <4F27C37C.1090008@isode.com> <4F843A22.4020908@isode.com> <4F843DA1.8080703@isode.com> <500546C5.6080102@isode.com>, <50054897.3070108@cs.tcd.ie> <4E1F6AAD24975D4BA5B1680429673943667370D7@TK5EX14MBXC285.redmond.corp.microsoft.com> <50059598.3030304@gmx.de> <50059A95.7050904@isode.com> <4E1F6AAD24975D4BA5B16804296739436673743F@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436673743F@TK5EX14MBXC285.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: General Area Review Team <gen-art@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-22.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 17:31:44 -0000

On 2012-07-17 19:15, Mike Jones wrote:
> For clarity of discussion, the definition in question is:
>       b64token    = 1*( ALPHA / DIGIT /
>                         "-" / "." / "_" / "~" / "+" / "/" ) *"="
>
> Note that b64token is a liberal syntax intended to permit base64 encoded content (hence the inclusion of the "+" and "/" characters and the optional trailing "=" characters), base64url encoded content (hence the inclusion of the "-" and "_" characters) and other URL-safe productions (hence the inclusion of the "." and "~" characters).
>
> Its use is definitely not intended to be restricted to base64 encoded content, per RFC 4648. If it were so restricted (by not allowing ".", for instance), this would exclude the use of JWTs as bearer tokens, for instance, which is something we *definitely* want to allow.
>
> As a result, I don't think adding a reference to RFC 4648 is either necessary or appropriate.
>
> Julian may be able to provide more background.

That is correct, in that the constraint on the token contents seems to 
be defined elsewhere.

That being said, by changing the reference from HTTPbis to 2617 you 
broke the spec:

    The "Authorization" header field uses the framework defined by
    HTTP/1.1 [RFC2617] as follows:

      b64token    = 1*( ALPHA / DIGIT /
                        "-" / "." / "_" / "~" / "+" / "/" ) *"="
      credentials = "Bearer" 1*SP b64token

...because in RFC 2617, exactly that syntax is not allowed:

      credentials = auth-scheme #auth-param
      auth-param     = token "=" ( token | quoted-string )

I have to say that I'm a bit surprised by that change (was there any 
public discussion about it?). It is probably possible to fix this 
without having to reference HTTPbis, but, I'm not totally sure about why 
you would want that.

(Note that the spec can be approved before HTTPbis, it just would have 
to wait for RFC publication a bit longer)

Best regards, Julian