Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



<hat type='TechAdvisor'/>

(see http://tools.ietf.org/wg/oauth/charters )

On 1/25/12 1:37 AM, Mike Jones wrote:
> Eran, do I then correctly understand that you've changed your mind on
> the position you took in
> http://www.ietf.org/mail-archive/web/oauth/current/msg07698.html,
> which was: "All I agree with is to limit the scope character-set in
> the v2 spec to the subset of ASCII allowed in HTTP header
> quoted-string, excluding " and \ so no escaping is needed, ever."?  I
> ask this, because if I correctly understand your statement that you
> agree with Julian, you are now taking the position that you are OK
> with recipients being required to perform escape processing for the
> scope (and other) parameters and with them being required to accept
> them either as tokens or as quoted strings.
> 
> This raises a question I'd like to ask John Bradley, William Mills,
> Phil Hunt, and Justin Richter:  Since all of you replied with a +1 to
> Eran's original statement, are you still in agreement with it, or are
> you now possibly reconsidering your position, as Eran apparently has.
> I'm asking, because your messages have been part of the basis upon
> which I've been taking the position as editor that the working group
> consensus is that no quoting may occur.  (The other reason that I
> believed, as editor, that this was a consensus position is that this
> syntax restriction has been present in every Bearer draft, as it was
> in OAuth 2.0 draft 10, which was the basis of the first Bearer
> draft.)  If that's not the actual working group consensus (or it's
> not anymore), it would be good to know that now.

Yes, input from those (and other) OAuth WG participants would be helpful.

> Finally, I'd like to respond publicly to a comment made to me in a
> private note sent to me about the current discussions.  In it, the
> sender (an IETF "old hand") observed that it could appear from the
> strength of my responses to Julian's feedback that I might be trying
> to defend a particular personal view of how these issues should be
> resolved.  I responded to him that the irony here is that I'm not
> trying to representing a personal position.  Rather, I'm truly trying
> to do what I believe an IETF editor is supposed to do, which is to
> represent the working group's positions.

And that's just what a document editor should be doing.

> I'm quite open to the working group making it clear that its position
> has changed with respect to Julian's comments and equally open to the
> working group standing behind the text in the current draft.  If the
> chairs would like to help bring this issue to successful closure, I
> would highly welcome their participation as well.

In my role as Tech Advisor, I have reviewed the discussion threads to
date. Julian has pointed out text from the specifications being worked
on in the HTTPbis WG. I concur with Julian's assessment: it would cause
interoperability issues for individual authentication schemes to
special-case the rules about parsing of challenges and credentials.

However, I think it might be acceptable (as Martin Rex suggested) for
such schemes to make recommendations about the actual data that is
conveyed, without special-casing the parsing rules as such (if the OAuth
WG wishes to go down that path, then further discussion with the HTTPbis
WG would probably be helpful so that we get the layering right and set a
good example for future schemes).

> Personally, I'd mostly just like to see the spec finished!

I think we can all agree on that. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]