Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

[William Mills <wmills@yahoo-inc.com>]

Anyone objecting here?



________________________________
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Mills <wmills@yahoo-inc.com>; John Bradley <ve7jtb@ve7jtb.com>; Eran Hammer-Lahav <eran@hueniverse.com>
Cc: OAuth WG <oauth@ietf.org>
Sent: Monday, October 17, 2011 3:25 PM
Subject: RE: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions


 
+1
 
From:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of William Mills
Sent: Monday, October 17, 2011 1:53 PM
To: John Bradley; Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
 
+1
 

________________________________
 
From:John Bradley <ve7jtb@ve7jtb.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: OAuth WG <oauth@ietf.org>
Sent: Monday, October 17, 2011 12:13 PM
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

+1

On 2011-10-17, at 11:53 AM, Eran Hammer-Lahav wrote:

> All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header quoted-string, excluding " and \ so no escaping is needed, ever.
> 
> EHL
> 
>> -----Original Message-----
>> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
>> Sent: Monday, October 17, 2011 8:25 AM
>> To: Eran Hammer-Lahav
>> Cc: Hannes Tschofenig; John Bradley; Richer, Justin P.; OAuth WG
>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>> Proposed Resolutions
>> 
>> It is good that we have an agreement among a few people that more text
>> needs to be provided in the core specification on the issue of the scope
>> element.
>> 
>> Now, there is still the question of what the text should say. The questions
>> from my earlier mails are therefore still applicable and need an answer.
>> 
>> Ciao
>> Hannes
>> 
>> On Oct 17, 2011, at 7:27 AM, Eran Hammer-Lahav wrote:
>> 
>>> I agree.
>>> 
>>> EHL
>>> 
>>>> -----Original Message-----
>>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>>>> Sent: Monday, October 17, 2011 6:07 AM
>>>> To: Richer, Justin P.
>>>> Cc: Eran Hammer-Lahav; OAuth WG
>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>>>> Proposed Resolutions
>>>> 
>>>> The scopes cross all of the profiles.
>>>> 
>>>> I expect that restricting the character sets for bearer tokens, MAC,
>>>> and other future variants should be dealt with in those profiles.
>>>> 
>>>> Without restricting scope in core, we leave the possibility of coming
>>>> up with different rules in different profiles e.g. MAC vs Bearer.
>>>> 
>>>> It is probably best to have one rule in core that works across all the
>> profiles.
>>>> 
>>>> John B.
>>>> On 2011-10-16, at 7:19 PM, Richer, Justin P. wrote:
>>>> 
>>>>> I think the limit makes sense, but then are tokens limited by the
>>>>> same
>>>> rules? They need to live in all the same places (query parameters,
>>>> headers,
>>>> forms) that scopes do and would be subject to the same kinds of
>>>> encoding woes that scopes will. Or am I missing something obvious as
>>>> to why this isn't a problem for tokens (both bearer tokens and the
>>>> public part of MAC tokens) but is a problem for scope strings?
>>>>> 
>>>>> -- Justin
>>>>> ________________________________________
>>>>> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] on behalf of
>>>>> John Bradley [ve7jtb@ve7jtb.com]
>>>>> Sent: Sunday, October 16, 2011 8:11 PM
>>>>> To: Eran Hammer-Lahav
>>>>> Cc: OAuth WG
>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues &
>>>> Proposed Resolutions
>>>>> 
>>>>> Restricting it now in the core spec is going to save a lot of headaches
>> later.
>>>>> 
>>>>> John B.
>>>>> On 2011-10-16, at 3:54 PM, Eran Hammer-Lahav wrote:
>>>>> 
>>>>>> It's an open question for the list.
>>>>>> 
>>>>>> EHL
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: Julian Reschke [mailto:julian.reschke@gmx.de]
>>>>>>> Sent: Sunday, October 16, 2011 11:00 AM
>>>>>>> To: Mike Jones
>>>>>>> Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth
>>>>>>> WG; Eran Hammer-Lahav
>>>>>>> Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues
>>>>>>> & Proposed Resolutions
>>>>>>> 
>>>>>>> On 2011-10-16 18:44, Mike Jones wrote:
>>>>>>>> As Eran wrote on 9/30, "The fact that the v2 spec allows a wide
>>>>>>>> range of
>>>>>>> characters in scope was unintentional. The design was limited to
>>>>>>> allow simple ASCII strings and URIs."
>>>>>>>> ...
>>>>>>> 
>>>>>>> I see. Thanks.
>>>>>>> 
>>>>>>> Is this going to be clarified in -23?
>>>>>>> 
>>>>>>> Best regards, Julian
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth