I don't care about this either way, but 'explicitly rejected' is an over-reach. I have not seen the chairs make a consensus call about that, or even formally ask the list.
EH > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Mike Jones > Sent: Wednesday, May 23, 2012 11:49 PM > To: Julian Reschke > Cc: Mark Nottingham; oauth@ietf.org > Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer > URI Query Parameter method > > Yes, putting the query parameter method into an appendix was considered > and explicitly rejected. Dick Hardt wrote about these issues in the > discussions that led to this decision, and I'll take the liberty of quoting > him, as > I believe he explained it well: > > "The reality is that the world is a messy place. Developers hack the > architecture to accomplish goals not envisioned by the architects. The > architects can accept the reality of the world, or ignore it and lose their > relevance. In my opinion, putting the query parameter mechanism into an > appendix is ignoring the reality of current implementations. Adding language > to the spec that use of the query parameter is not architecturally ideal, but > accepts the reality of the current web would be far more preferable." > > "Many sites with substantial security expertise (Google, Facebook, LinkedIn, > Foursquare) have chosen to use the query parameter as opposed to the > header - both methods have been documented in the drafts since the > beginning. Clearly from a practical point of view the implementers have > chosen to use the query parameter. " > > "I have read people proposing dropping it from the spec or pushing it to an > Appendix. I agree that the security issues need to be documented and the > architectural issues called out. I think dropping it from the spec or pushing > it > to an appendix is a disservice to implementers and sends a message that the > IETF is not in touch with the realities of the web." > > -- Mike > > -----Original Message----- > From: Julian Reschke [mailto:julian.resc...@gmx.de] > Sent: Wednesday, May 23, 2012 11:36 PM > To: Mike Jones > Cc: oauth@ietf.org; Mark Nottingham > Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer > URI Query Parameter method > > On 2012-05-18 09:15, Julian Reschke wrote: > > ... > > Did you consider to *also* move the whole section into an appendix, so > > that it's status is also reflected by the document structure? > > > > Best regards, Julian > > Hi, it would be awesome to see feedback on this (it has been mentioned > during IETF LC multiple times). > > Best regards, Julian > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
