Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI Query Parameter method

Thu, 17 May 2012 15:33:48 -0700 

wfm




>________________________________
> From: Mike Jones <michael.jo...@microsoft.com>
>To: "oauth@ietf.org" <oauth@ietf.org> 
>Cc: Mark Nottingham <m...@mnot.net> 
>Sent: Thursday, May 17, 2012 3:11 PM
>Subject: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI Query 
>Parameter method
> 
>
> 
>Dear working group members:
> 
>I'm going through the remaining open issues that have been raised about the 
>Bearer spec so as to be ready to publish an updated draft once the outstanding 
>consensus call issues are resolved.
> 
>This DISCUSS had been raised about the URI Query Parameter method:
> 
>   * Section 2.3 URI Query Parameter
> 
>   This section effectively reserves a URI query parameter for the 
>    draft's use. This should not be done lightly, since this would be a 
>    precedent for the IETF encroaching upon a server's URIs (done 
>    previously in RFC5785, but in a much more limited fashion, as a 
>    tactic to prevent further, uncontrolled encroachment).
> 
>   Given that the draft already discourages the use of this mechanism, 
>    I'd recommend dropping it altogether. If the Working Group wishes it 
>    to remain, this issues should be vetted both through the APPS area 
>    and the W3C liaison.
> 
>I wanted to let you know that the agreed-upon resolution to this issue is to 
>add the following text to the URI Query Parameter section:
> 
>    This method is included to document current use; its use is
>    NOT RECOMMENDED, both due to its security deficiencies (see
>    Security Considerations) and because it uses a reserved query
>    parameter name, which is counter to URI namespace best
>    practices [W3C TAG WebArch].
> 
>The reference above is to http://www.w3.org/TR/webarch/.
> 
>Thanks to Mark Nottingham, Stephen Farrell, Pete Resnick, and Dick Hardt for 
>helping us get to this resolution.
> 
>                                                                Cheers,
>                                                                -- Mike
> 
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to