Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Fri, 06 September 2019 18:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADEE120809 for <oauth@ietfa.amsl.com>; Fri, 6 Sep 2019 11:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YzEWtNdWg_h1 for <oauth@ietfa.amsl.com>; Fri, 6 Sep 2019 11:17:55 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8042B120073 for <oauth@ietf.org>; Fri, 6 Sep 2019 11:17:55 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id f12so14741627iog.12 for <oauth@ietf.org>; Fri, 06 Sep 2019 11:17:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OT9ZeNjpqzIebMDY5BNFoFPUKXqfa4ukkDak5crpbAE=; b=Qj7dvlFIogFxzYXgaQJ2J7GNTqk4UOuAdWlKHX+vflnjQTdByQagoPkZsfwucnF218 xtFA8Ikh2bYlMsEXFGzZBTHEDrcN7+FfL4FN3LXc1Mze/LP/XopOMug2ieW5bWJFMumK 9ArRcA9Whc6kJsOhGgehiLWZ/DnfSRrEhyeiQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OT9ZeNjpqzIebMDY5BNFoFPUKXqfa4ukkDak5crpbAE=; b=A38iPdqDIah6Ujgv2p5/bISwOe+onbhqCjHOLpMioJj+6C4Qu0yvw/0/QP5xI9aF/J bAfBBKudVHocydDv5wqV6zf9zYyHadZ7JGSl2PNhrghaoOoFLe94D948S2rhXnLrJ5Ou zU0HM+RCzEURi5rWmr8i2Wdn/KZbDhj0oXZ6Pn/X0XYb9fedb15A9YC/nmYbIPZhqq3V kq43P+ImMBtJoLudmoJZcJ0cjUBbp/xtmrk4FyPZEMAHPqC75vIKuGv5U8d6N6sqdqTa nNTygvsFvcahQHfv7jBGlXpkXRh7KLuaGFrMerVedmIG/Fh/PSudkthinvs9TsX3CcOG rLYQ==
X-Gm-Message-State: APjAAAU3IfoKevkUd2UHcPb6EuhGWndyFDsJdd5xriQI/cHlfUtwguVv sZdFZLHWUnFIu+9bV6JDnw49Ttr59J3YBq5sCeGeme9J7pFC8xQcfvwL+O5XyZPGRVPwo3j3yu2 fPIcWCeSrj8Dxog==
X-Google-Smtp-Source: APXvYqw851hCJp+V4GBP3LZEMU/QlQkhYMg2G/iYsDS3OD0Ndv9lPvjn4ToKtHQD/5NLm2PBpwRBVlc2L1l5YHLgK8k=
X-Received: by 2002:a6b:ed18:: with SMTP id n24mr7168604iog.115.1567793874655; Fri, 06 Sep 2019 11:17:54 -0700 (PDT)
MIME-Version: 1.0
References: <156757720342.20663.3055037033818226992.idtracker@ietfa.amsl.com> <CA+k3eCSH5pkMkqBUmcENSdc3kDB0z3kpZoVGrPdB2hbsXvV8Bg@mail.gmail.com> <CALaySJJKt7UM7Xq-azgh1eF8hoBwvf+xatdC-PTeSOYvFBsieA@mail.gmail.com> <CA+k3eCQzTDChVPVZiDPykV7GqU_ibpG9g8Av4Rr+uqd1gtBUsg@mail.gmail.com> <CA+k3eCS-pmo5Htq5=8zxbdV0AZtzb=RuE2PfhjPbBttZe+Tywg@mail.gmail.com> <CALaySJ+8Rov1ghLhyJWDERfR17x1FKo_a3+_v9vFea2chqRt6A@mail.gmail.com> <354c9b93-271e-9ff2-86a5-9a9e76ab77e7@nostrum.com>
In-Reply-To: <354c9b93-271e-9ff2-86a5-9a9e76ab77e7@nostrum.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 6 Sep 2019 12:17:28 -0600
Message-ID: <CA+k3eCQKXKM2MWFzb4Ntu7Zba3FFKjwNu4yh97KrboPhDNWt-A@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Barry Leiba <barryleiba@computer.org>, draft-ietf-oauth-resource-indicators@ietf.org, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb107b0591e674a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/x87EQ0Dwq3_ERrH5PzDjRSaWBt4>
Subject: Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 18:17:58 -0000

I don't have any aversion to adding something but I've been at a bit of a
loss as to what exactly to say or how to say it. But here's a stab at
something. How about the following sentence, which kind of layers your
words onto the text that Barry previously suggested:

"It SHOULD NOT include a query component, but it is recognized that there
are cases that make a query component a useful and necessary part of the
resource parameter, such as when query parameter(s) are used to scope
requests to an application."

On Thu, Sep 5, 2019 at 6:41 PM Adam Roach <adam@nostrum.com>; wrote:

> I don't have a strong objection to it. I still think that, if this is
> allowed (even as a SHOULD NOT), we need clarity that any query
> parameters that are used to scope queries to an application necessarily
> form part of the resource parameter. It's significantly less important,
> though, now that the practice is discouraged, and I won't mind if you go
> ahead without adding such text.
>
> /a
>
> On 9/5/19 4:01 PM, Barry Leiba wrote:
> > Thanks, Brian.  I hope Adam is happy with that as well.
> >
> > Barry
> >
> > On Thu, Sep 5, 2019 at 3:01 PM Brian Campbell
> > <bcampbell@pingidentity.com>; wrote:
> >> I went ahead with this in -07.
> >>
> >> On Wed, Sep 4, 2019 at 3:07 PM Brian Campbell <
> bcampbell@pingidentity.com>; wrote:
> >>> Thanks Barry, I kinda like it. Although I'm a bit hesitant to make a
> change like that at this stage. I guess I'd be looking for a little more
> buy-in from folks first. Though it's not actually a functional breaking
> change. So maybe okay to just go with.
> >>>
> >>> On Wed, Sep 4, 2019 at 2:54 PM Barry Leiba <barryleiba@computer.org>;
> wrote:
> >>>>> Yeah, with query parameters lacking the hierarchical semantics that
> the path component has, it is much less clear. In fact, an earlier revision
> of the draft forbid the query part as I was trying to avoid the ambiguity
> that it brings. But there were enough folks with some use case for it that
> it made its way back in. While I am sympathetic to the point you're making
> here, I'd prefer to not codify the practice any further by way of example
> in the document.
> >>>> Is it perhaps reasonable to discourage the use of a query component
> >>>> while still allowing it?  Maybe a "SHOULD NOT", such as this?:
> >>>>
> >>>> OLD
> >>>>        Its value MUST be an absolute URI, as specified by
> >>>>        Section 4.3 of [RFC3986], which MAY include a query component
> but
> >>>>        MUST NOT include a fragment component.
> >>>> NEW
> >>>>        Its value MUST be an absolute URI, as specified by
> >>>>        Section 4.3 of [RFC3986].  The URI MUST NOT include
> >>>>        a fragment component.  It SHOULD NOT include a query
> >>>>        component, but it is recognized that there are cases that
> >>>>        make a query component useful.
> >>>> END
> >>>>
> >>>> What do you think?
> >>>>
> >>>> Barry
> >>
> >> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._