Re: [OAUTH-WG] Feedback on draft-ietf-oauth-v2-13

Fri, 25 Mar 2011 09:24:06 -0700 

Actually, despite having submitted this comment, I'm having second thoughts 
about it as well based upon some possible use cases I'm aware of.  If, for 
instance, a scope element contains base64url encoded content in a URL, 
case-folding it will destroy it.  Therefore, on reconsideration, I'd like to 
withdraw the comment and have the sentence about scope elements being 
case-insensitive removed from the draft.

                                Thanks,
                                -- Mike

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Brian 
Campbell
Sent: Friday, March 25, 2011 9:17 AM
To: Eran Hammer-Lahav
Cc: [email protected]
Subject: Re: [OAUTH-WG] Feedback on draft-ietf-oauth-v2-13

It didn't align with the my assumption when I was implementing, which is why I 
asked:)

With respect to URIs, I believe that the scheme and host are always 
case-intensive but the case-sensitivity of the other parts are scheme dependent 
and that, in general, comparison is hard and error prone. It just feels like a 
slippery slope to start adding normalization/comparison rules to scope.  But 
with that said, it's not a big deal and I won't quibble about it.

On Fri, Mar 25, 2011 at 9:02 AM, Eran Hammer-Lahav <[email protected]> wrote:
> It's a safe language to align it with common assumptions. Also, in the case 
> of URI values, they are usually case insensitive.
>
> EHL
>
>> -----Original Message-----
>> From: Brian Campbell [mailto:[email protected]]
>> Sent: Friday, March 25, 2011 8:00 AM
>> To: Eran Hammer-Lahav
>> Cc: Mike Jones; [email protected]
>> Subject: Re: [OAUTH-WG] Feedback on draft-ietf-oauth-v2-13
>>
>> >> 4.1.1:  Scope string matching rules are ambiguous
>> >>
>> >> In the "scope" definition, add "The space-delimited strings are 
>> >> case insensitive."
>> >
>> > Good call.
>>
>> I'd like to better understand why?  Other than a means to delimit and 
>> allow for multiple values, the spec is otherwise leaving the 
>> interpretation of scope values up to the implementation/deployment.
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to