Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 30 April 2015 14:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6F9A21B2C15 for <>; Thu, 30 Apr 2015 07:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aa_-Cg-0vNKa for <>; Thu, 30 Apr 2015 07:39:52 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CDEDD1B2C12 for <>; Thu, 30 Apr 2015 07:39:51 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-58-55423eb6f33a
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F2.88.03355.6BE32455; Thu, 30 Apr 2015 10:39:50 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t3UEdnxl025255; Thu, 30 Apr 2015 10:39:50 -0400
Received: from ( []) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t3UEdlPD003627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 30 Apr 2015 10:39:49 -0400
Received: (from kaduk@localhost) by ( id t3UEdlRM027823; Thu, 30 Apr 2015 10:39:47 -0400 (EDT)
Date: Thu, 30 Apr 2015 10:39:47 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Bill Mills <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1220371129-1430404787=:22210"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42IRYrdT191m5xRqsHCussXRzatYLKbvvcZu 8a3rOrMDs8fa7qtsHkuW/GTymDXrMFMAcxSXTUpqTmZZapG+XQJXxqw7LYwF13kq2l/tZW9g XMfVxcjJISFgIrHw/kx2CFtM4sK99WxdjFwcQgKLmST67+6GcjYySjReu8sM4RxikpgwYSVU poFRYvPRXWwg/SwC2hKvtn5gAbHZBFQkZr7ZCBTn4BARUJdo/u4NYjILxErseZYIUiEs4CRx fc41JhCbUyBY4vfXaawgNq+Ao8S0e3cYQWwhgSCJrY/vgsVFBXQkVu+fwgJRIyhxcuYTMJtZ IFBi6d/NbBMYBWchSc1CkoKwdSRWfrrCCGFrS9y/2ca2gJFlFaNsSm6Vbm5iZk5xarJucXJi Xl5qka6xXm5miV5qSukmRlCwc0ry7WD8elDpEKMAB6MSD++HdsdQIdbEsuLK3EOMkhxMSqK8 SrZOoUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeD8bAeV4UxIrq1KL8mFS0hwsSuK8m37whQgJ pCeWpGanphakFsFkZTg4lCR4d4AMFSxKTU+tSMvMKUFIM3FwggznARq+F6SGt7ggMbc4Mx0i f4pRUUqcdwVIQgAkkVGaB9cLS0avGMWBXhHmbQKp4gEmMrjuV0CDmYAGn7/lADK4JBEhJdXA uMk5wmUC+66TJ0r2/v/q8sb+eu1k/vQtc7ZMDT5x4fuhwt2K53rXeZml90peWqksuTG9Qs6D dW6DmaHOeckO/5b0hqJTx8q3FdcIifd9Kjyx/enc6QtT/Fo3zVIUUH27OvDK99d+fL0tNell Gv1lKToaEgek3tU6/Nm9XOFq+9WGSMV9+rHaSizFGYmGWsxFxYkAYtxc9SEDAAA=
Archived-At: <>
Cc: "" <>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Apr 2015 14:39:53 -0000

On Wed, 29 Apr 2015, Bill Mills wrote:

> Everything up to the concrete example works for me.  The example is
> vaporware, I'd rather use a concrete one or leave it out.

I think the SNI example is a concrete example, in that it is very clear
which values are to be compared.  The fact that it is not a comparison
which is performed by any extant software is a different issue.

To continue along those lines, we frequently publish specifications that
have not been (fully) implemented; I see our duty as to publish documents
that say what should be done for correct and secure (inter)operation.  I
recognize that not all checks are always implemeted everywhere, but that
does not free us of our obligation to write documents containing all the
security checks that we believe are relevant.  So, I believe that this
text is useful and correct, and do not see merit in the objection raised
thus far.

However, I am not particularly tied to this particular example, and if you
still wish to replace it with a different example (such as the one Stephen
mentioned off-list, of an IMAP server configured only to serve
that should reject client response claiming to be for, I can
accept that for the goal of moving the document forward.