Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI Query Parameter method

Wed, 23 May 2012 23:49:00 -0700 

Yes, putting the query parameter method into an appendix was considered and 
explicitly rejected.  Dick Hardt wrote about these issues in the discussions 
that led to this decision, and I'll take the liberty of quoting him, as I 
believe he explained it well:

"The reality is that the world is a messy place. Developers hack the 
architecture to accomplish goals not envisioned by the architects. The 
architects can accept the reality of the world, or ignore it and lose their 
relevance. In my opinion, putting the query parameter mechanism into an 
appendix is ignoring the reality of current implementations. Adding language to 
the spec that use of the query parameter is not architecturally ideal, but 
accepts the reality of the current web would be far more preferable."

"Many sites with substantial security expertise (Google, Facebook, LinkedIn, 
Foursquare) have chosen to use the query parameter as opposed to the header - 
both methods have been documented in the drafts since the beginning. Clearly 
from a practical point of view the implementers have chosen to use the query 
parameter. "

"I have read people proposing dropping it from the spec or pushing it to an 
Appendix. I agree that the security issues need to be documented and the 
architectural issues called out. I think dropping it from the spec or pushing 
it to an appendix is a disservice to implementers and sends a message that the 
IETF is not in touch with the realities of the web."

                                        -- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.resc...@gmx.de] 
Sent: Wednesday, May 23, 2012 11:36 PM
To: Mike Jones
Cc: oauth@ietf.org; Mark Nottingham
Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI 
Query Parameter method

On 2012-05-18 09:15, Julian Reschke wrote:
> ...
> Did you consider to *also* move the whole section into an appendix, so 
> that it's status is also reflected by the document structure?
>
> Best regards, Julian

Hi, it would be awesome to see feedback on this (it has been mentioned during 
IETF LC multiple times).

Best regards, Julian


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to