Dear working group members:
I'm going through the remaining open issues that have been raised about the
Bearer spec so as to be ready to publish an updated draft once the outstanding
consensus call issues are resolved.
This DISCUSS had been raised about the URI Query Parameter method:
* Section 2.3 URI Query Parameter
This section effectively reserves a URI query parameter for the
draft's use. This should not be done lightly, since this would be a
precedent for the IETF encroaching upon a server's URIs (done
previously in RFC5785, but in a much more limited fashion, as a
tactic to prevent further, uncontrolled encroachment).
Given that the draft already discourages the use of this mechanism,
I'd recommend dropping it altogether. If the Working Group wishes it
to remain, this issues should be vetted both through the APPS area
and the W3C liaison.
I wanted to let you know that the agreed-upon resolution to this issue is to
add the following text to the URI Query Parameter section:
This method is included to document current use; its use is
NOT RECOMMENDED, both due to its security deficiencies (see
Security Considerations) and because it uses a reserved query
parameter name, which is counter to URI namespace best
practices [W3C TAG WebArch].
The reference above is to http://www.w3.org/TR/webarch/.
Thanks to Mark Nottingham, Stephen Farrell, Pete Resnick, and Dick Hardt for
helping us get to this resolution.
Cheers,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
