Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

2012-02-16 Thread Erlend Hamnaberg
Comments inline: On Thu, Feb 9, 2012 at 7:51 AM, Manger, James H james.h.man...@team.telstra.com wrote: Eran, a couple of comments on the new MAC spec: The example (§1.1) does not seem to be correct. That is, I calculate mac=6T3zZzy2Emppni6bzL7kdRxUWL4= instead of the given value. I get

[OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Mike Jones
In core -23, the last paragraph of section 3.1http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1 now says: The authorization server MUST ignore unrecognized request parameters. In -22, this said: The authorization server SHOULD ignore unrecognized

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Mike Jones
And same change requested in 3.2 4.1.2, and 4.2.2, which also require ignoring unrecognized parameters. From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, February 16, 2012 10:16 AM To: oauth@ietf.org Subject: [OAUTH-WG] Ignoring unrecognized

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread William Mills
No, this is required for forward compatibility.  Implementations that send extended parameters like capability advertisements (i.e. CAPTCHA support or something) shoudl not be broken hitting older implementations. From: Mike Jones michael.jo...@microsoft.com

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Marius Scurtescu
+1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed. Marius On Thu, Feb 16, 2012 at 10:32 AM, William Mills wmi...@yahoo-inc.com wrote: No, this is required for forward compatibility.  Implementations that send extended parameters like

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Michael Thomas
+1 On 02/16/2012 10:45 AM, Marius Scurtescu wrote: +1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed. Marius On Thu, Feb 16, 2012 at 10:32 AM, William Millswmi...@yahoo-inc.com wrote: No, this is required for forward compatibility.

Re: [OAUTH-WG] Ignoring unrecognized request parameters

2012-02-16 Thread Eran Hammer
Can you give an example where an unknown parameter being ignored can lead to security issues? EH From: John Bradley ve7...@ve7jtb.commailto:ve7...@ve7jtb.com Date: Thu, 16 Feb 2012 11:55:21 -0700 To: William Mills wmi...@yahoo-inc.commailto:wmi...@yahoo-inc.com Cc:

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

2012-02-16 Thread Eran Hammer
I haven't seen much feedback so I assume this is almost ready for LC. I will apply the suggestions below and will request a WGLC for -02. EH On 2/8/12 10:51 PM, Manger, James H james.h.man...@team.telstra.com wrote: Eran, a couple of comments on the new MAC spec: The example (§1.1) does not