Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

2012-02-16 Thread Eran Hammer
I haven't seen much feedback so I assume this is almost ready for LC. I will apply the suggestions below and will request a WGLC for -02. EH On 2/8/12 10:51 PM, "Manger, James H" wrote: >Eran, a couple of comments on the new MAC spec: > >The example (§1.1) does not seem to be correct. That is,

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Eran Hammer
The change came from multiple feedback provided from AD and other reviews. MUST is required to guarantee forward compatibility with future extensions. This was a known issue in 1.0 when some clients added body_hash support and caused servers to fail for no reason. A server that is unaware of a

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Eran Hammer
Can you give an example where an unknown parameter being ignored can lead to security issues? EH From: John Bradley mailto:ve7...@ve7jtb.com>> Date: Thu, 16 Feb 2012 11:55:21 -0700 To: William Mills mailto:wmi...@yahoo-inc.com>> Cc: "oauth@ietf.org" mailto:oauth@ietf.org

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread John Bradley
If you have a generic client that works across multiple Authorization endpoints some that have extension X and others not, I can see that having the Authorization servers ignore unknown parameters is desirable. However there are some endpoints that are not going to be able to allow unknown para

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Michael Thomas
+1 On 02/16/2012 10:45 AM, Marius Scurtescu wrote: +1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed. Marius On Thu, Feb 16, 2012 at 10:32 AM, William Mills wrote: No, this is required for forward compatibility. Implementations that send e

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Marius Scurtescu
+1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed. Marius On Thu, Feb 16, 2012 at 10:32 AM, William Mills wrote: > No, this is required for forward compatibility.  Implementations that send > extended parameters like capability advertisements (

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread William Mills
No, this is required for forward compatibility.  Implementations that send extended parameters like capability advertisements (i.e. CAPTCHA support or something) shoudl not be broken hitting older implementations. From: Mike Jones To: "oauth@ietf.org" Sent:

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Mike Jones
And same change requested in 3.2 4.1.2, and 4.2.2, which also require ignoring unrecognized parameters. From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, February 16, 2012 10:16 AM To: oauth@ietf.org Subject: [OAUTH-WG] Ignoring unrecognized req

[OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Mike Jones
In core -23, the last paragraph of section 3.1 now says: The authorization server MUST ignore unrecognized request parameters. In -22, this said: The authorization server SHOULD ignore unrecognized r

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

2012-02-16 Thread Erlend Hamnaberg
Comments inline: On Thu, Feb 9, 2012 at 7:51 AM, Manger, James H < james.h.man...@team.telstra.com> wrote: > Eran, a couple of comments on the new MAC spec: > > The example (§1.1) does not seem to be correct. That is, I calculate > mac="6T3zZzy2Emppni6bzL7kdRxUWL4=" instead of the given value. >