My recollection is that putting it in an appendix was explicitly rejected in
the threads discussing the DISCUSS issues and no one on those threads pushed
back afterwards, particularly after Dick's explanations of why it should stay.
(Why these DISCUSS discussions don't include the full working group is a
mystery to me, but apparently that's the way it's done at this stage of the
IETF spec finalization process. Can anyone tell me why that's the case?)
Anyway, since this feature has been in *every* version of the spec, leaving it
in hardly seemed to require a consensus call. The chairs, of course, can
obviously hold one if they believe one is called for.
Best wishes,
-- Mike
-----Original Message-----
From: Mark Nottingham [mailto:m...@mnot.net]
Sent: Wednesday, May 23, 2012 11:54 PM
To: Eran Hammer
Cc: Mike Jones; Julian Reschke; oauth@ietf.org
Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer URI
Query Parameter method
Thanks, Eran - I was just about to ask about that.
On 24/05/2012, at 4:53 PM, Eran Hammer wrote:
> I don't care about this either way, but 'explicitly rejected' is an
> over-reach. I have not seen the chairs make a consensus call about that, or
> even formally ask the list.
>
> EH
>
>
>> -----Original Message-----
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On
>> Behalf Of Mike Jones
>> Sent: Wednesday, May 23, 2012 11:49 PM
>> To: Julian Reschke
>> Cc: Mark Nottingham; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about
>> Bearer URI Query Parameter method
>>
>> Yes, putting the query parameter method into an appendix was
>> considered and explicitly rejected. Dick Hardt wrote about these
>> issues in the discussions that led to this decision, and I'll take
>> the liberty of quoting him, as I believe he explained it well:
>>
>> "The reality is that the world is a messy place. Developers hack the
>> architecture to accomplish goals not envisioned by the architects.
>> The architects can accept the reality of the world, or ignore it and
>> lose their relevance. In my opinion, putting the query parameter
>> mechanism into an appendix is ignoring the reality of current
>> implementations. Adding language to the spec that use of the query
>> parameter is not architecturally ideal, but accepts the reality of the
>> current web would be far more preferable."
>>
>> "Many sites with substantial security expertise (Google, Facebook,
>> LinkedIn,
>> Foursquare) have chosen to use the query parameter as opposed to the
>> header - both methods have been documented in the drafts since the
>> beginning. Clearly from a practical point of view the implementers
>> have chosen to use the query parameter. "
>>
>> "I have read people proposing dropping it from the spec or pushing it
>> to an Appendix. I agree that the security issues need to be
>> documented and the architectural issues called out. I think dropping
>> it from the spec or pushing it to an appendix is a disservice to
>> implementers and sends a message that the IETF is not in touch with the
>> realities of the web."
>>
>> -- Mike
>>
>> -----Original Message-----
>> From: Julian Reschke [mailto:julian.resc...@gmx.de]
>> Sent: Wednesday, May 23, 2012 11:36 PM
>> To: Mike Jones
>> Cc: oauth@ietf.org; Mark Nottingham
>> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about
>> Bearer URI Query Parameter method
>>
>> On 2012-05-18 09:15, Julian Reschke wrote:
>>> ...
>>> Did you consider to *also* move the whole section into an appendix,
>>> so that it's status is also reflected by the document structure?
>>>
>>> Best regards, Julian
>>
>> Hi, it would be awesome to see feedback on this (it has been
>> mentioned during IETF LC multiple times).
>>
>> Best regards, Julian
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
--
Mark Nottingham http://www.mnot.net/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
