Re: [kitten] New draft of https://tools.ietf.org/htmdraft-mills-kitten-sasl-oauth
Nico Williams <nico@cryptonector.com> Mon, 11 July 2011 20:18 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1AC21F85B5 for <kitten@ietfa.amsl.com>; Mon, 11 Jul 2011 13:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Level:
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=-0.683, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3B7KacFRWy0 for <kitten@ietfa.amsl.com>; Mon, 11 Jul 2011 13:18:30 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0D021F8B93 for <kitten@ietf.org>; Mon, 11 Jul 2011 13:18:27 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTP id 1F20642807C for <kitten@ietf.org>; Mon, 11 Jul 2011 13:18:27 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=PmmrArLK0ZZF2WiixINX8lkVhO05vWxRmMCeG7h8dxSt 4Oyby6/RuYSV8gPadWNY4TyTV9GSsO5Z6Yn9yEv7kCQOqSstP95QRncmHwHMjdIK 6WEFdI+sDNzOsz++pYwPDbJ4pgnu8MRnYPHSOMJi4pvMdbNraDe0O7qvMPlKLHs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=c4JyvC6sGQNh9M05EAoQAas4oRI=; b=n82xlpFPPVQ q3IGK1COBjsO3YPGvOSGOB/LlStJ0IoeaHXyT4bHTB0BoacBYH4bh/YwqCFfdml6 Vzg3wA5Lf6NWxUVqSFfzpqOO+siRlVDm8wb/TwWGYUvnpJrRz6In2Q90uQD6cz30 oTBBNacf9b7QsrfBqdQNAJLV3jaVy5QQ=
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTPSA id BF34442807A for <kitten@ietf.org>; Mon, 11 Jul 2011 13:18:26 -0700 (PDT)
Received: by pvh18 with SMTP id 18so4433167pvh.31 for <kitten@ietf.org>; Mon, 11 Jul 2011 13:18:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.66.130 with SMTP id f2mr5953781pbt.521.1310415506460; Mon, 11 Jul 2011 13:18:26 -0700 (PDT)
Received: by 10.68.41.103 with HTTP; Mon, 11 Jul 2011 13:18:26 -0700 (PDT)
In-Reply-To: <1310064776.32123.YahooMailNeo@web31801.mail.mud.yahoo.com>
References: <1310064776.32123.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Mon, 11 Jul 2011 15:18:26 -0500
Message-ID: <CAK3OfOhbXRMupxo=S0_tShgaNMwUQ_vyor5OSh4m37G+dbvy8Q@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] New draft of https://tools.ietf.org/htmdraft-mills-kitten-sasl-oauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2011 20:18:31 -0000
On Thu, Jul 7, 2011 at 1:52 PM, William J. Mills <wmills@yahoo-inc.com> wrote: > I've posted a new draft. I believe there is one open issue, and that is whether we're going to include text defining how Tunneled HTTP authentication (started as OAuth) works with GSS-API. I am coming more and more to the opinion that the GSS-API definition is going to be very auth mechanism specific. This draft only defines what SASL needs currently, which is user auth. GSS-API has message integrity as well, and possibly other things that can be mapped into HTTP auth schemes, and I think it's going to be required that the auth schemes define their capabilities and GSS_API mappings. Per-message tokens in the GSS-API are optional. Not having them makes a mechanism very uninteresting for GSS applications. If your mechanism does have a way to exchange session keys between the initiator and acceptor then you can copy the text from RFC5802 to make your mechanism a GSS mechanism (basically you get to say that the per-message tokens and the PRF are the same as for the Kerberos V5 mechanisms, and you then specify how to get the base protocol key needed to key those things). Any mechanism that can exchange session keys should. I completely agree with you regarding this and the desirability of key exchange. You mention mapping GSS mechanisms onto HTTP authentication. See: a) HTTP/Negotiate (RFC4559) (and what Windows calls Integrated Windows Authentication with Extended Protection), and b) http://tools.ietf.org/html/draft-williams-rest-gss-00 . Nico --
- [kitten] New draft of https://tools.ietf.org/htmd… William J. Mills
- Re: [kitten] New draft of https://tools.ietf.org/… Shawn Emery
- Re: [kitten] New draft of https://tools.ietf.org/… Nico Williams