And yet, the security properties of query parameters make them not ideal for
credentials. From a security perspective it is hard to justify recommending it.
>________________________________
> From: David Recordon <record...@gmail.com>
>To: Mark Nottingham <m...@mnot.net>; Eran Hammer <e...@hueniverse.com>; Mike
>Jones <michael.jo...@microsoft.com>
>Cc: Julian Reschke <julian.resc...@gmx.de>; "oauth@ietf.org" <oauth@ietf.org>
>Sent: Thursday, May 24, 2012 12:11 AM
>Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI
>Query Parameter method
>
>
>Regardless of how we got here, just feels strange to have a
>strong recommendation against the way the protocol is actually being used. I
>completely understand that standards live on for well over eighteen months (or
>five years if we start with OAuth 1.0) but this feels like we're just going to
>end up with the vast majority of deployments doing what the
>standard explicitly recommends against. Query parameters are used because
>they're easy and implementor simplicity was always something driving design
>decisions. So at least to me this is not the path toward a widely deployed
>standard.
>
>
>--David
>
>
>
>
>
>On Thu, May 24, 2012 at 12:02 AM, Mike Jones <michael.jo...@microsoft.com>
>wrote:
>
>My recollection is that putting it in an appendix was explicitly rejected in
>the threads discussing the DISCUSS issues and no one on those threads pushed
>back afterwards, particularly after Dick's explanations of why it should stay.
> (Why these DISCUSS discussions don't include the full working group is a
>mystery to me, but apparently that's the way it's done at this stage of the
>IETF spec finalization process. Can anyone tell me why that's the case?)
>>
>>Anyway, since this feature has been in *every* version of the spec, leaving
>>it in hardly seemed to require a consensus call. The chairs, of course, can
>>obviously hold one if they believe one is called for.
>>
>> Best wishes,
>> -- Mike
>>
>>
>>-----Original Message-----
>>From: Mark Nottingham [mailto:m...@mnot.net]
>>Sent: Wednesday, May 23, 2012 11:54 PM
>>To: Eran Hammer
>>Cc: Mike Jones; Julian Reschke; oauth@ietf.org
>>Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI
>>Query Parameter method
>>
>>Thanks, Eran - I was just about to ask about that.
>>
>>
>>On 24/05/2012, at 4:53 PM, Eran Hammer wrote:
>>
>>> I don't care about this either way, but 'explicitly rejected' is an
>>> over-reach. I have not seen the chairs make a consensus call about that, or
>>> even formally ask the list.
>>>
>>> EH
>>>
>>>
>>>> -----Original Message-----
>>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On
>>>> Behalf Of Mike Jones
>>>> Sent: Wednesday, May 23, 2012 11:49 PM
>>>> To: Julian Reschke
>>>> Cc: Mark Nottingham; oauth@ietf.org
>>>> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about
>>>> Bearer URI Query Parameter method
>>>>
>>>> Yes, putting the query parameter method into an appendix was
>>>> considered and explicitly rejected. Dick Hardt wrote about these
>>>> issues in the discussions that led to this decision, and I'll take
>>>> the liberty of quoting him, as I believe he explained it well:
>>>>
>>>> "The reality is that the world is a messy place. Developers hack the
>>>> architecture to accomplish goals not envisioned by the architects.
>>>> The architects can accept the reality of the world, or ignore it and
>>>> lose their relevance. In my opinion, putting the query parameter
>>>> mechanism into an appendix is ignoring the reality of current
>>>> implementations. Adding language to the spec that use of the query
>>>> parameter is not architecturally ideal, but accepts the reality of the
>>>> current web would be far more preferable."
>>>>
>>>> "Many sites with substantial security expertise (Google, Facebook,
>>>> LinkedIn,
>>>> Foursquare) have chosen to use the query parameter as opposed to the
>>>> header - both methods have been documented in the drafts since the
>>>> beginning. Clearly from a practical point of view the implementers
>>>> have chosen to use the query parameter. "
>>>>
>>>> "I have read people proposing dropping it from the spec or pushing it
>>>> to an Appendix. I agree that the security issues need to be
>>>> documented and the architectural issues called out. I think dropping
>>>> it from the spec or pushing it to an appendix is a disservice to
>>>> implementers and sends a message that the IETF is not in touch with the
>>>> realities of the web."
>>>>
>>>> -- Mike
>>>>
>>>> -----Original Message-----
>>>> From: Julian Reschke [mailto:julian.resc...@gmx.de]
>>>> Sent: Wednesday, May 23, 2012 11:36 PM
>>>> To: Mike Jones
>>>> Cc: oauth@ietf.org; Mark Nottingham
>>>> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about
>>>> Bearer URI Query Parameter method
>>>>
>>>> On 2012-05-18 09:15, Julian Reschke wrote:
>>>>> ...
>>>>> Did you consider to *also* move the whole section into an appendix,
>>>>> so that it's status is also reflected by the document structure?
>>>>>
>>>>> Best regards, Julian
>>>>
>>>> Hi, it would be awesome to see feedback on this (it has been
>>>> mentioned during IETF LC multiple times).
>>>>
>>>> Best regards, Julian
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>--
>>Mark Nottingham http://www.mnot.net/
>>
>>
>>
>>
>>
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
