David, David Recordon <record...@gmail.com> writes:
> Regardless of how we got here, just feels strange to have a > strong recommendation against the way the protocol is actually being used. I > completely understand that standards live on for well over eighteen months (or > five years if we start with OAuth 1.0) but this feels like we're just going to > end up with the vast majority of deployments doing what the > standard explicitly recommends against. Query parameters are used because > they're easy and implementor simplicity was always something driving design > decisions. So at least to me this is not the path toward a widely deployed > standard. (speaking as a participant, not the chair) Just because everyone currently with a gun happens to enjoy shooting themselves in the foot with it does not imply that we should recommend that future gun owners shoot themselves in the foot, too. The applications area, and the HTTP gurus in particular, have strong opinions about the dangers of standardizing query parameters, with strong technical arguments about how it is problematic and downright dangerous. Historically the query string has been opaque to the protocol, and now you're asking for it to be less opaque; they object to that, and rightfully so. I have no personal preference as to whether we leave this in the main text or move it into an appendix. I don't see any harm in leaving it in the main text with the warning that it's not recommended. As you point out, it IS widely deployed. > --David -derek > On Thu, May 24, 2012 at 12:02 AM, Mike Jones <michael.jo...@microsoft.com> > wrote: > > My recollection is that putting it in an appendix was explicitly rejected > in the threads discussing the DISCUSS issues and no one on those threads > pushed back afterwards, particularly after Dick's explanations of why it > should stay. (Why these DISCUSS discussions don't include the full > working group is a mystery to me, but apparently that's the way it's done > at this stage of the IETF spec finalization process. Can anyone tell me > why that's the case?) > > Anyway, since this feature has been in *every* version of the spec, > leaving it in hardly seemed to require a consensus call. The chairs, of > course, can obviously hold one if they believe one is called for. > > Best wishes, > -- Mike > > -----Original Message----- > From: Mark Nottingham [mailto:m...@mnot.net] > Sent: Wednesday, May 23, 2012 11:54 PM > To: Eran Hammer > Cc: Mike Jones; Julian Reschke; oauth@ietf.org > Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about Bearer > URI Query Parameter method > > Thanks, Eran - I was just about to ask about that. > > On 24/05/2012, at 4:53 PM, Eran Hammer wrote: > > > I don't care about this either way, but 'explicitly rejected' is an > over-reach. I have not seen the chairs make a consensus call about that, > or even formally ask the list. > > > > EH > > > > > >> -----Original Message----- > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > >> Behalf Of Mike Jones > >> Sent: Wednesday, May 23, 2012 11:49 PM > >> To: Julian Reschke > >> Cc: Mark Nottingham; oauth@ietf.org > >> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about > >> Bearer URI Query Parameter method > >> > >> Yes, putting the query parameter method into an appendix was > >> considered and explicitly rejected. Dick Hardt wrote about these > >> issues in the discussions that led to this decision, and I'll take > >> the liberty of quoting him, as I believe he explained it well: > >> > >> "The reality is that the world is a messy place. Developers hack the > >> architecture to accomplish goals not envisioned by the architects. > >> The architects can accept the reality of the world, or ignore it and > >> lose their relevance. In my opinion, putting the query parameter > >> mechanism into an appendix is ignoring the reality of current > >> implementations. Adding language to the spec that use of the query > >> parameter is not architecturally ideal, but accepts the reality of the > current web would be far more preferable." > >> > >> "Many sites with substantial security expertise (Google, Facebook, > >> LinkedIn, > >> Foursquare) have chosen to use the query parameter as opposed to the > >> header - both methods have been documented in the drafts since the > >> beginning. Clearly from a practical point of view the implementers > >> have chosen to use the query parameter. " > >> > >> "I have read people proposing dropping it from the spec or pushing it > >> to an Appendix. I agree that the security issues need to be > >> documented and the architectural issues called out. I think dropping > >> it from the spec or pushing it to an appendix is a disservice to > >> implementers and sends a message that the IETF is not in touch with the > realities of the web." > >> > >> -- Mike > >> > >> -----Original Message----- > >> From: Julian Reschke [mailto:julian.resc...@gmx.de] > >> Sent: Wednesday, May 23, 2012 11:36 PM > >> To: Mike Jones > >> Cc: oauth@ietf.org; Mark Nottingham > >> Subject: Re: [OAUTH-WG] FYI - Text resolving DISCUSS issue about > >> Bearer URI Query Parameter method > >> > >> On 2012-05-18 09:15, Julian Reschke wrote: > >>> ... > >>> Did you consider to *also* move the whole section into an appendix, > >>> so that it's status is also reflected by the document structure? > >>> > >>> Best regards, Julian > >> > >> Hi, it would be awesome to see feedback on this (it has been > >> mentioned during IETF LC multiple times). > >> > >> Best regards, Julian > >> -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
