ietf
[Top] [All Lists]

Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

2012-01-25 15:26:32
<hat type='TechAdvisor'/>

(see http://tools.ietf.org/wg/oauth/charters )

On 1/25/12 1:37 AM, Mike Jones wrote:
Eran, do I then correctly understand that you've changed your mind on
the position you took in
http://www.ietf.org/mail-archive/web/oauth/current/msg07698.html,
which was: "All I agree with is to limit the scope character-set in
the v2 spec to the subset of ASCII allowed in HTTP header
quoted-string, excluding " and \ so no escaping is needed, ever."?  I
ask this, because if I correctly understand your statement that you
agree with Julian, you are now taking the position that you are OK
with recipients being required to perform escape processing for the
scope (and other) parameters and with them being required to accept
them either as tokens or as quoted strings.

This raises a question I'd like to ask John Bradley, William Mills,
Phil Hunt, and Justin Richter:  Since all of you replied with a +1 to
Eran's original statement, are you still in agreement with it, or are
you now possibly reconsidering your position, as Eran apparently has.
I'm asking, because your messages have been part of the basis upon
which I've been taking the position as editor that the working group
consensus is that no quoting may occur.  (The other reason that I
believed, as editor, that this was a consensus position is that this
syntax restriction has been present in every Bearer draft, as it was
in OAuth 2.0 draft 10, which was the basis of the first Bearer
draft.)  If that's not the actual working group consensus (or it's
not anymore), it would be good to know that now.

Yes, input from those (and other) OAuth WG participants would be helpful.

Finally, I'd like to respond publicly to a comment made to me in a
private note sent to me about the current discussions.  In it, the
sender (an IETF "old hand") observed that it could appear from the
strength of my responses to Julian's feedback that I might be trying
to defend a particular personal view of how these issues should be
resolved.  I responded to him that the irony here is that I'm not
trying to representing a personal position.  Rather, I'm truly trying
to do what I believe an IETF editor is supposed to do, which is to
represent the working group's positions.

And that's just what a document editor should be doing.

I'm quite open to the working group making it clear that its position
has changed with respect to Julian's comments and equally open to the
working group standing behind the text in the current draft.  If the
chairs would like to help bring this issue to successful closure, I
would highly welcome their participation as well.

In my role as Tech Advisor, I have reviewed the discussion threads to
date. Julian has pointed out text from the specifications being worked
on in the HTTPbis WG. I concur with Julian's assessment: it would cause
interoperability issues for individual authentication schemes to
special-case the rules about parsing of challenges and credentials.

However, I think it might be acceptable (as Martin Rex suggested) for
such schemes to make recommendations about the actual data that is
conveyed, without special-casing the parsing rules as such (if the OAuth
WG wishes to go down that path, then further discussion with the HTTPbis
WG would probably be helpful so that we get the layering right and set a
good example for future schemes).

Personally, I'd mostly just like to see the spec finished!

I think we can all agree on that. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>