ietf
[Top] [All Lists]

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The

2012-01-24 21:49:14
Bjoern Hoehrmann wrote:

* Mike Jones wrote:
Thanks for asking, Martin.  That's effectively what the spec does
already.  It restricts the input values of these parameters to be quoted

                  the HTTP specification does not give you an interface
that allows you to tell `x` and `"x"` apart in this particular case. If
the draft said "When using WWW-Authenticate: Bearer ... then the header
name must be written `wWw-authenTICate`, same problem. HTTP says case
does not matter, and if another specification says "Yes, it does" then
it is overriding the underlying specification, to some degree anyway.

Of course, what oaep-bearer could _not_ "define to not exist"
(no matter how much anyone (group) might desire this), is those
transformations, and their complexity, that are permitted on HTTP
that headerfield, e.g. through "middle-boxes", such as client-side
HTTP proxies or server-side reverse-proxies between the original
creator and the final consumer, as well as permitted side-effects
of other application components sharing the same client (like a browser).

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>