<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://5509/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">OK<div><br><div><div>On 2013-06-07, at 9:08 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">How about then:<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; ">“REQUIRED. Redirection URI to which the response will be sent. All segments of this URI MUST exactly match one of the redirect_uris registered for the client_id, with the matching performed as described in [RFC3986] Section 6.2.1 (Simple String Comparison).”<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">(adding “</span>(Simple String Comparison)<span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">”).<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -- Mike<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>John Bradley [mailto:ve7jtb@<a href="http://ve7jtb.com">ve7jtb.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, June 07, 2013 12:00 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Bray<br><b>Cc:</b><span class="Apple-converted-space"> </span>Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Inconsistency in redirect_uri definitions<o:p></o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think we are saying the same thing. I am recommending against the AS normalizing. But I want it to be clear that the comparison is the whole URI and not have people strip off the query parameters or ignore the port foe the comparison.<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">How about.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">“REQUIRED. Redirection URI to which the response will be sent. All segments of this URI MUST exactly match one of the redirect_uris registered for the client_id, with the matching performed as described in [RFC3986] section 6.2.1”<o:p></o:p></div></blockquote></blockquote><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-06-07, at 8:54 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" style="color: purple; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">RFC 3986 is about URI generic syntax we would need to point specifically to Simile String Comparison Sec 6.2.1<o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-06-07, at 8:48 PM, Tim Bray <<a href="mailto:tbray@textuality.com" style="color: purple; text-decoration: underline; ">tbray@textuality.com</a>> wrote:<o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I recommend “REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the redirect_uris registered for the client_id, with the matching performed as described in [RFC3986] section 6.2.1”<o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Fri, Jun 7, 2013 at 11:39 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">So you’re advocating copying the definition in Messages to Standard and deleting the words “</span><span lang="EN" style="font-family: Verdana, sans-serif; ">the Scheme, Host, and Path segments of</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">” from Registration, correct? If not, please supply alternative exact wording.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -- Mike</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: purple; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, June 07, 2013 11:33 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Bray<br><b>Cc:</b><span class="Apple-converted-space"> </span>Mike Jones;<span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a></span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Inconsistency in redirect_uri definitions<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Google is comparing them as strings requiring an exact match as I understand it.<o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Anything other than an exact match of the the string of octets is likely to fail with some IdP. It would be nice to do URI to URI comparisons but that tends to have interoperability problems. From a security point of view Standard is correct and should be copied to the other specs.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">From an interoperability point of view saying it is an exact match of the octets may save a bunch of interoperability issues,.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Pointing to RFC3986 for comparison rules saying we are not doing normalization and will perform a comparison of the UTF8 code-points to be more specific.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">John<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-06-07, at 7:45 PM, Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank" style="color: purple; text-decoration: underline; ">tbray@textuality.com</a>> wrote:<o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">When you say “match Standard” you mean referring to the enumeration of scheme/host/path/query, I assume. As opposed to the reference to dynamic client registration? BTW RFC3986 section 6.2 (<a href="http://tools.ietf.org/html/rfc3986#section-6.2" target="_blank" style="color: purple; text-decoration: underline; ">http://tools.ietf.org/html/rfc3986#section-6.2</a>) has useful material on URI comparison. You could simply refer to 6.2.1 and omit the enumeration.<o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Fri, Jun 7, 2013 at 10:33 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">While working on the spelling and grammar check, I noticed the following in redirect_uri definitions. While I hate to bring this up while we’re trying to finish the Implementer’s Drafts, this is potentially a recall-class issue, so I wanted to raise it now, rather than have it come up later.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Messages, Basic, and Implicit say:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">redirect_uri</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 1in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">REQUIRED. Redirection URI to which the response will be sent. This MUST be pre-registered with the OpenID Provider.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Standard says:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">redirect_uri</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 1in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">REQUIRED. Redirection URI to which the response will be sent. The Scheme, Host, Path, and Query Parameter segments of this URI MUST match one of the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; "><span lang="EN" style="font-size: 10pt; ">redirect_uris</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>registered for the<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; "><span lang="EN" style="font-size: 10pt; ">client_id</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>in the OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] specification.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Dynamic Registration says:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">redirect_uris</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 1in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">REQUIRED. Array of redirection URIs values used in the Authorization Code and Implicit grant types. One of these registered redirection URI values MUST match the Scheme, Host, and Path segments of the<span class="Apple-converted-space"> </span></span><span lang="EN" style="font-family: 'Courier New'; color: rgb(0, 51, 102); ">redirect_uri</span><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>parameter value used in each Authorization Request.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Should Messages, Basic, and Implicit be changed to match Standard? That’s my sense of the situation, but wanted to get others’ input before doing so.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Thanks,<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> -- Mike<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "></p></div></div></div></div></blockquote></div><br></div></body></html>