Responses to suggestions not adopted are inline below. Thanks for your input.
-- Mike
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran
Hammer-Lahav
Sent: Wednesday, March 02, 2011 8:34 AM
To: Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-bearer-03.txt
Last call comments on draft-ietf-oauth-v2-bearer-03:
> Section 2.1:
>
> - RWS should be replaces with SP since the header has no other attributes
> (and should not have any). This will make parsing easier by mandating a
> single space (unless HTTPbis has other guidelines).
This is insufficient rationale to introduce a potentially breaking change. I
would want to see a demonstration of working group consensus for this change
before making it.
> Section 2.4:
>
> - ABNF includes '( token "=" ( token / quoted-string ) )', but no prose is
> provided about how new parameters may be defined. Retained this extensibility
> point must be justified with actual use cases.
This is insufficient rationale to introduce a breaking change. I would want to
see a demonstration of working group consensus for this change before making it.
> Section 2.4.1:
>
> - Why are the HTTP error code suggested and not required?
Because the spec should not presume that only the example HTTP error codes
might occur.
> Section 4.3:
>
> - This registry is unnecessary and adds no value here (namespace collision is
> unlikely in general, and unlikely to cause problems). No use cases where
> suggested to justify it, and no additional error codes were proposed in over
> a year of discussions. Error codes were intentionally left non-extensible to
> increase interoperability. If addition color is needed for existing error
> codes, additional response parameters may be registered. Otherwise, if new
> error codes are needed, a new RFC must be published updating
> draft-ietf-oauth-v2.
> - The only way to define such a registry is to bring it up as a comment for
> draft-ietf-oauth-v2. Otherwise, it is limited to the Bearer token header only
> (and since this document is not extensible, not needed even here).
Your "Error extensibility proposal" note sent on 3/29/2011 documents the need
for error extensibility. This registry meets this need, while being simpler
than the 3/29 proposal and in line with standard IETF extensibility practices.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
