On 2012-05-18 00:11, Mike Jones wrote:
Dear working group members:
I'm going through the remaining open issues that have been raised about
the Bearer spec so as to be ready to publish an updated draft once the
outstanding consensus call issues are resolved.
This DISCUSS had been raised about the URI Query Parameter method:
* Section 2.3 URI Query Parameter
This section effectively reserves a URI query parameter for the
draft's use. This should not be done lightly, since this would be a
precedent for the IETF encroaching upon a server's URIs (done
previously in RFC5785, but in a much more limited fashion, as a
tactic to prevent further, uncontrolled encroachment).
Given that the draft already discourages the use of this mechanism,
I'd recommend dropping it altogether. If the Working Group wishes it
to remain, this issues should be vetted both through the APPS area
and the W3C liaison.
I wanted to let you know that the agreed-upon resolution to this issue
is to add the following text to the URI Query Parameter section:
This method is included to document current use; its use is
NOT RECOMMENDED, both due to its security deficiencies (see
Security Considerations) and because it uses a reserved query
parameter name, which is counter to URI namespace best
practices [W3C TAG WebArch].
The reference above is to http://www.w3.org/TR/webarch/.
Thanks to Mark Nottingham, Stephen Farrell, Pete Resnick, and Dick Hardt
for helping us get to this resolution.
...
Did you consider to *also* move the whole section into an appendix, so
that it's status is also reflected by the document structure?
Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
