Thanks, Eran - I was just about to ask about that.
On 24/05/2012, at 4:53 PM, Eran Hammer wrote: > I don't care about this either way, but 'explicitly rejected' is an > over-reach. I have not seen the chairs make a consensus call about that, or > even formally ask the list. > > EH > > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Mike Jones >> Sent: Wednesday, May 23, 2012 11:49 PM >> To: Julian Reschke >> Cc: Mark Nottingham; oauth@ietf.org >> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer >> URI Query Parameter method >> >> Yes, putting the query parameter method into an appendix was considered >> and explicitly rejected. Dick Hardt wrote about these issues in the >> discussions that led to this decision, and I'll take the liberty of quoting >> him, as >> I believe he explained it well: >> >> "The reality is that the world is a messy place. Developers hack the >> architecture to accomplish goals not envisioned by the architects. The >> architects can accept the reality of the world, or ignore it and lose their >> relevance. In my opinion, putting the query parameter mechanism into an >> appendix is ignoring the reality of current implementations. Adding language >> to the spec that use of the query parameter is not architecturally ideal, but >> accepts the reality of the current web would be far more preferable." >> >> "Many sites with substantial security expertise (Google, Facebook, LinkedIn, >> Foursquare) have chosen to use the query parameter as opposed to the >> header - both methods have been documented in the drafts since the >> beginning. Clearly from a practical point of view the implementers have >> chosen to use the query parameter. " >> >> "I have read people proposing dropping it from the spec or pushing it to an >> Appendix. I agree that the security issues need to be documented and the >> architectural issues called out. I think dropping it from the spec or >> pushing it >> to an appendix is a disservice to implementers and sends a message that the >> IETF is not in touch with the realities of the web." >> >> -- Mike >> >> -----Original Message----- >> From: Julian Reschke [mailto:julian.resc...@gmx.de] >> Sent: Wednesday, May 23, 2012 11:36 PM >> To: Mike Jones >> Cc: oauth@ietf.org; Mark Nottingham >> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer >> URI Query Parameter method >> >> On 2012-05-18 09:15, Julian Reschke wrote: >>> ... >>> Did you consider to *also* move the whole section into an appendix, so >>> that it's status is also reflected by the document structure? >>> >>> Best regards, Julian >> >> Hi, it would be awesome to see feedback on this (it has been mentioned >> during IETF LC multiple times). >> >> Best regards, Julian >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth -- Mark Nottingham http://www.mnot.net/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
