Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)

[Brian Campbell <bcampbell@pingidentity.com>]

I don't have any aversion to adding something but I've been at a bit of a
loss as to what exactly to say or how to say it. But here's a stab at
something. How about the following sentence, which kind of layers your
words onto the text that Barry previously suggested:

"It SHOULD NOT include a query component, but it is recognized that there
are cases that make a query component a useful and necessary part of the
resource parameter, such as when query parameter(s) are used to scope
requests to an application."

On Thu, Sep 5, 2019 at 6:41 PM Adam Roach <adam@nostrum.com> wrote:

> I don't have a strong objection to it. I still think that, if this is
> allowed (even as a SHOULD NOT), we need clarity that any query
> parameters that are used to scope queries to an application necessarily
> form part of the resource parameter. It's significantly less important,
> though, now that the practice is discouraged, and I won't mind if you go
> ahead without adding such text.
>
> /a
>
> On 9/5/19 4:01 PM, Barry Leiba wrote:
> > Thanks, Brian.  I hope Adam is happy with that as well.
> >
> > Barry
> >
> > On Thu, Sep 5, 2019 at 3:01 PM Brian Campbell
> > <bcampbell@pingidentity.com> wrote:
> >> I went ahead with this in -07.
> >>
> >> On Wed, Sep 4, 2019 at 3:07 PM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
> >>> Thanks Barry, I kinda like it. Although I'm a bit hesitant to make a
> change like that at this stage. I guess I'd be looking for a little more
> buy-in from folks first. Though it's not actually a functional breaking
> change. So maybe okay to just go with.
> >>>
> >>> On Wed, Sep 4, 2019 at 2:54 PM Barry Leiba <barryleiba@computer.org>
> wrote:
> >>>>> Yeah, with query parameters lacking the hierarchical semantics that
> the path component has, it is much less clear. In fact, an earlier revision
> of the draft forbid the query part as I was trying to avoid the ambiguity
> that it brings. But there were enough folks with some use case for it that
> it made its way back in. While I am sympathetic to the point you're making
> here, I'd prefer to not codify the practice any further by way of example
> in the document.
> >>>> Is it perhaps reasonable to discourage the use of a query component
> >>>> while still allowing it?  Maybe a "SHOULD NOT", such as this?:
> >>>>
> >>>> OLD
> >>>>        Its value MUST be an absolute URI, as specified by
> >>>>        Section 4.3 of [RFC3986], which MAY include a query component
> but
> >>>>        MUST NOT include a fragment component.
> >>>> NEW
> >>>>        Its value MUST be an absolute URI, as specified by
> >>>>        Section 4.3 of [RFC3986].  The URI MUST NOT include
> >>>>        a fragment component.  It SHOULD NOT include a query
> >>>>        component, but it is recognized that there are cases that
> >>>>        make a query component useful.
> >>>> END
> >>>>
> >>>> What do you think?
> >>>>
> >>>> Barry
> >>
> >> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._