[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)

From: Mark Nottingham <mnot at mnot.net>
To: John Panzer <jpanzer at google.com>
Cc: "oauth at ietf.org" <oauth at ietf.org>
Date: Wed, 14 Oct 2009 14:18:51 +1100
In-reply-to: <cb5f7a380910080010n29d0713aq181ab97ca6504eb6 at mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343784D58457 at P3PW5EX1MB01.EX1.SECURESERVER.NET> <5BFD6F3E-4A66-4C7B-98FF-8D2C286977B3 at mnot.net> <cb5f7a380910080010n29d0713aq181ab97ca6504eb6 at mail.gmail.com>

So, Postel aside, rejecting any request with unrecognised parametersin it will rule out any backwards-compatible extensions to theprotocol (practically; although the client can re-submit the requestwithout the parameter, it disincents the introduction of backwards-compatible features).

Does the OAuth community really want to do this? And, what's theattack vector that is protected against here?


Cheers,


On 08/10/2009, at 6:10 PM, John Panzer wrote:

One minor meta-comment:
--
John Panzer / Google
jpanzer at google.com / abstractioneer.org / @jpanzer



On Wed, Oct 7, 2009 at 9:15 PM, Mark Nottingham <mnot at mnot.net> wrote:
Digging up some feedback I sent privately a long while back WRTproblem reporting (so apologies if the drafts have move on since)...
...
* parameter_rejected - Unrecognised parameters should be ignored; see
Postel.
You're probably not advocating this, but: Postel's Law appliedblindly to security protocols can lead to disaster.



--
Mark Nottingham     http://www.mnot.net/

Follow-Ups:
- Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
  - From: Igor Faynberg

References:
- [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
  - From: Eran Hammer-Lahav
- Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
  - From: Mark Nottingham
- Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
  - From: John Panzer

Prev by Date: Re: [OAUTH-WG] Delegation (token) requests
Next by Date: Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
Previous by thread: Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
Next by thread: Re: [OAUTH-WG] Request for feedback: OAuth IETF Drafts (Due 10/2)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.