Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
"Matt Miller (mamille2)" <mamille2@cisco.com> Wed, 18 December 2013 19:10 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62021AE1C2 for <kitten@ietfa.amsl.com>; Wed, 18 Dec 2013 11:10:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.039
X-Spam-Level:
X-Spam-Status: No, score=-15.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nn0so5GqRwTJ for <kitten@ietfa.amsl.com>; Wed, 18 Dec 2013 11:10:02 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id BE8851AE1C3 for <kitten@ietf.org>; Wed, 18 Dec 2013 11:10:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4240; q=dns/txt; s=iport; t=1387393800; x=1388603400; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=K3NbzEwJW9LNUc6p8lPye6Kc3QK0cbxWZRLRMonQ/KQ=; b=T26ohjWruQ+LRNuo42jSnVos8DgmmXtCmZo8Vj/HzivS3D7jws1Tw5xF XDC3SQ4TeGu3qtLQ8/DFMKMQIwMdxWOX7oRHennzKUFl02iAvXOxBRgK2 LDiHBToHBUOtIt69kcy6+EKh6hMuAlpo7/oK3GI0Ngt2DOWRyaRR3trHv 4=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhYFAEbysVKtJXHB/2dsb2JhbABQCYMKOFW4dYEbFnSCJQEBAQMBeQULAgEIDjgyJQIECgQFDoduCA3KOReON1sHgyOBEwSQM4ExhjKSFIMrgio
X-IronPort-AV: E=Sophos; i="4.95,508,1384300800"; d="asc'?scan'208"; a="292457410"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-3.cisco.com with ESMTP; 18 Dec 2013 19:10:00 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id rBIJ9xsZ032573 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 18 Dec 2013 19:10:00 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.22]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0123.003; Wed, 18 Dec 2013 13:09:59 -0600
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Bill Mills <wmills@yahoo-inc.com>
Thread-Topic: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
Thread-Index: AQHO+iYGh/HTVxoMc0+2BQxVCnN2eJpZZA6AgAAsCoCAAPuZgIAAIVqAgAAMugA=
Date: Wed, 18 Dec 2013 19:09:59 +0000
Message-ID: <4D6B8140-7BE7-4F6C-83A9-6746BEEDC3D6@cisco.com>
References: <52AE9A65.1010700@oracle.com> <C2752600-AC7C-4839-8BD0-3D850ECB19EB@cisco.com> <1387329873.35383.YahooMailNeo@web125604.mail.ne1.yahoo.com> <24FDB425-20B7-42F3-BD64-B23DEDBA6356@cisco.com> <1387391065.73288.YahooMailNeo@web125601.mail.ne1.yahoo.com>
In-Reply-To: <1387391065.73288.YahooMailNeo@web125601.mail.ne1.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.89.9.238]
Content-Type: multipart/signed; boundary="Apple-Mail=_8A60EB42-2944-4162-BE50-25C90C4F1106"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2013 19:10:05 -0000
On Dec 18, 2013, at 11:24 AM, Bill Mills <wmills@yahoo-inc.com> wrote: > > We went around a number of times on the SASL identities. The problem I see is that the assertion of authz-id if it's specified separately in protocol just has to be matched/confirmed by the token anyway so the value should just be derived from that. > I still think you're still conflating authn-id and authz-id here. An example: let's say we have an XMPP service, where a session is long-lived and have a strong identity (effectively, the sender address cannot be anything other than what the user logged in with). Our resource owner has multiple identities on this service ("john.smith@example.com", "bofh@example.com", "slumber.viking@example.com") but one set of credentials on the authorization server. In this case, what should the XMPP service use for the identity? For most other SASL mechanisms, this is where authz-id is used. It still absolutely requires the resource server to confirm the authz-id is appropriate for the given credentials (token). If there were only one possible identity, then the client shouldn't even specify an authz-id (IMO). But where there are multiple possible identities, the user might want to pick one other than the default. Now, it could very well be that the above is not something that ought to be supported for SASL-OAuth. It could be that the resource owner needs to choose the specific identifier to use as part of the OAuth authorization flow before the token is even granted. If this is the most desired case, then the mechanisms need to specifically state that they do not transfer authorization identity strings. > > Not sure why the MAC token draft number is wrong. I'm using the xml2rfc format and referring to <?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-oauth-v2-http-mac.xml' ?> so I'm not sure what to fix. > Hrm. Maybe there is an overly aggressive caching proxy between you and xml.resource.org, or an overly aggressive local cache? I would suggest using "https://", but it looks like the cert isn't valid for xml.resource.org! /me notes to follow up on that... > On scopes, I'm not liking your changes but see the problem. The current text is: > > "An OAuth scope which is valid to access the service. This may be empty which implies that unscoped tokens are required, or a space separated list. Use of a space separated list is NOT RECOMMENDED." > > I propose: > > "An OAuth scope which is valid to access the service. This may be empty which implies that unscoped tokens are required, or a scope value. If a scope is specified then a single scope is preferred, use of a space separated list of scopes is NOT RECOMMENDED." > That works for me, and I think that's what most deployments will want to do. - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. > -bill > > P.S. Nits... "erk" is actually a sound made when you drop something on your foot, "irk" is indicative of the reaction to excessive pedantry. :) > I said erk out loud when i saw it, does that count (-:
- [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Ryan Troll
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Ryan Troll
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-s… Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Peck, Michael A
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Simon Josefsson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Zheng, Kai
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Tom Yu
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Zheng, Kai
- [kitten] WGLC on draft-ietf-kitten-sasl-oauth-15 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills