IETF Logo Mail Archive

Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 07 January 2012 06:51 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5827311E8075 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 22:51:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hJoLgp+Bzf2 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 22:50:59 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id C6BF111E8072 for <oauth@ietf.org>; Fri, 6 Jan 2012 22:50:59 -0800 (PST)
Received: (qmail 27766 invoked from network); 7 Jan 2012 06:50:59 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 7 Jan 2012 06:50:59 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 6 Jan 2012 23:50:59 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Leif Johansson <leifj@sunet.se>, OAuth WG <oauth@ietf.org>
Date: Fri, 06 Jan 2012 23:50:45 -0700
Thread-Topic: secdir review of draft-ietf-oauth-v2
Thread-Index: AcxxejcLK5M7cRirTtqV4b97NCZawwGWSTgQAAPAPYAVSTVQ4A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A72D0C2A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E6E4FEA.7090100@sunet.se> <90C41DD21FB7C64BB94121FBBC2E72345213D92D5A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345213D92D5A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2012 06:51:00 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Eran Hammer-Lahav
> Sent: Tuesday, September 20, 2011 3:13 PM

> > 3.1.1 Response Type
> >
> > The response_type parameter is REQURED but its absence SHOULD result
> > in an error. Why not MUST?

Changes to MUST.

> > 3.1.2.4 Invalid Endpoint
> >
> > "The authorization server SHOULD NOT redirect...". Why isn't this a
> > MUST NOT?
> 
> I'm ok with MUST NOT - any objections?

This one is actually tricky. I don't like the current text (mine) because untrusted is a useless qualifier here. The point is that redirecting to unregistered endpoints can lead to the abuse of the endpoint as an open redirector. Because we actually support unregistered callbacks, we can't say MUST NOT. I am removing the 'untrusted' part but leaving the SHOULD NOT as is.

EHL

v2.23.0 | Report a Bug | By Email