-
Type:
Bug
-
Status: New
-
Priority:
Blocker
-
Resolution: Unresolved
-
Affects Version/s: OSLC Core Specification v3.0 WD
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
References
-
Proposal:
I'm afraid the guidance on normative vs. informative references isn't clear.
For example, in OSLC Core 3.0 at:
*****
6.2.2 OSLC 3.0 servers should protect resources with [rfc6749] Authentication utilizing [OpenIDConnect].
*****
But when I look at the references I find under "informative references"
*****
[rfc6749]
D. Hardt, Ed.. The OAuth 2.0 Authorization Framework. October 2012. Proposed Standard. URL: https://tools.ietf.org/html/rfc6749
*****
???
Here's the trick. When you say:
*****
6.2.2 OSLC 3.0 servers should protect resources with [rfc6749] Authentication utilizing [OpenIDConnect].
*****
that means that in addition to conforming to your requirements, a resource also MUST conform to RFC6749, in order to be recognized by your OSLC 3.0 server.
But in writing we don't say, the resource must conform to RFC6749 because we list that RFC in normative references and when we make a specific reference to the part of OAuth (or other standard required), it is just a declarative statement.
I am reading quickly but something along the lines of:
*****
There are two types of authentication for resources:
1) HTTP Basic Authentication as defined by [Normative Reference].
2) OAuth authentication as defined by [RFC6749] using [OpenIDConnect]
*****
The elsewhere, in the conformance clauses, you make the statements about OSLC 3.0 servers.
Note that breaking this apart allows you to separate the declaration of the normative requirements (authentication) from the conformance statements, allowing you to both extend the standard in the future and to define conformance targets that select parts of the earlier normative requirements.