Igor Mark Nottingham wrote:
So, Postel aside, rejecting any request with unrecognised parameters in it will rule out any backwards-compatible extensions to the protocol (practically; although the client can re-submit the request without the parameter, it disincents the introduction of backwards-compatible features).Does the OAuth community really want to do this? And, what's the attack vector that is protected against here?Cheers, On 08/10/2009, at 6:10 PM, John Panzer wrote:One minor meta-comment: -- John Panzer / Google jpanzer at google.com / abstractioneer.org / @jpanzer On Wed, Oct 7, 2009 at 9:15 PM, Mark Nottingham <mnot at mnot.net> wrote:Digging up some feedback I sent privately a long while back WRT problem reporting (so apologies if the drafts have move on since)...... * parameter_rejected - Unrecognised parameters should be ignored; see Postel.You're probably not advocating this, but: Postel's Law applied blindly to security protocols can lead to disaster.-- Mark Nottingham http://www.mnot.net/ _______________________________________________ OAuth mailing list OAuth at ietf.org https://www.ietf.org/mailman/listinfo/oauth
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.