On 2012-06-19 00:17, Eran Hammer wrote:
I believe the UTF-8 piece came from Brian Eaton a while back because of some
security issue identified at Google.
...
If there are security reasons to send an undefined media type parameter
then they really should be spelled out.
Best regards, Julian
On 2012-06-19 02:03, Mike Jones wrote:
In cooperation with the chairs and Eran, I’ve produced the attached
proposed OAuth Core -28 version. It updates the ABNF in the manner
discussed by the working group, allowing username and password to be
Unicode and restricting client_id and client_secret t
On 2012-06-18 23:48, Mike Jones wrote:
Hi Julian,
Both the Core and Bearer specs already reference W3C.REC-html401-19991224 for
the definition of application/x-www-form-urlencoded.
That definition is useless because it doesn't specify character encoding.
I'll leave it up to others to commen
On 19/06/2012 12:54 p.m., Mike Jones wrote:
Could the experts on this thread please summarize the outcome of this thread?
Was the conclusion that no changes were required to either Core or Bearer? Or
if you believe that changes are required to one or both drafts, could you
please propose exa
I can put something together.
It is mostly a warning about the token substitution attack that any implicit
flow is vulnerable to if used for authentication of the presenter.
Otherwise known as why audience restriction is a good thing.
John B.
On 2012-06-18, at 8:20 PM, Dick Hardt wrote:
> J
Could the experts on this thread please summarize the outcome of this thread?
Was the conclusion that no changes were required to either Core or Bearer? Or
if you believe that changes are required to one or both drafts, could you
please propose exact wording changes for review by the working g
John
Do you have suggested text per your suggestion below?
-- Dick
On Jun 18, 2012, at 2:04 PM, John Bradley wrote:
> I blogged about this in the hypothetical several months ago.
> http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
>
> Nov Matake and others built so
I believe the UTF-8 piece came from Brian Eaton a while back because of some
security issue identified at Google.
EH
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Mike Jones
> Sent: Monday, June 18, 2012 2:48 PM
> To: Julian Reschke; O
Hi Julian,
Both the Core and Bearer specs already reference W3C.REC-html401-19991224 for
the definition of application/x-www-form-urlencoded.
I'll leave it up to others to comment on whether the ;charset=UTF-8 parameter
is correct or not.
-- Mike
-Original
I blogged about this in the hypothetical several months ago.
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
Nov Matake and others built some tests and found quite a number of deployments
vulnerable.
http://www.thread-safe.com/2012/02/more-on-oauth-implicit-flow-ap
Hi OAuth group,
This is regarding the recent discussion about an implementation issue of some
cloud services using OAuth for authentication.
Derek Atkins and Dick Hardt suggested the possibility to discuss with the group
a paragraph to add to the security considerations section.
Derek's suggest
Hi Mike,
As you noted this is under way. When I mailed tlr I
asked for two weeks from the 13th, which co-incides
with the end of the IETF LC caused by the IPR
declaration, so it should be fine.
Cheers,
S.
On 06/18/2012 07:08 PM, Mike Jones wrote:
> Hi Stephen,
>
> Pete is holding his DISCUSS o
FYI, per the forwarded note below, at least the W3C WebCrypto WG was informed
last week of the request to review the URI Query Parameter text (Section 2.3)
of the OAuth Bearer spec. I've learned of no feedback to date.
-- Mike
-Original Message-
From: GA
This section doesn't mention the 'error' parameter. Since it mentions
the error_uri and error_description parameters, it seems to just have
been omitted/forgotten.
smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@i
Hi Stephen,
Pete is holding his DISCUSS on Bearer open until the current text on the URI
query parameter
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-2.3 receives
W3C review. Can you try to have that review happen this week, hopefully
finishing sometime next week?
I'm cc:
Same as any SHOULD. Do it unless you have a good reason not to. We have plenty
of other SHOULDs without any detailed explanation of the qualifications.
EH
> -Original Message-
> From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net]
> Sent: Monday, June 18, 2012 5:02 AM
> To: Mike Jo
Hi Mike,
this text below does not prohibit error information to be sent back to the
client (otherwise there would be a MUST NOT).
So, if a developer reads this below then when should he send an error response
and when not?
Ciao
Hannes
PS: (I also believe that the "i.e." should rather be a
17 matches
Mail list logo
