Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 28 April 2015 16:48 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23EC01B2A30 for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2015 09:48:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G24sM1NZ30xV for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2015 09:48:05 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240181B2A35 for <kitten@ietf.org>; Tue, 28 Apr 2015 09:47:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E5221BDD8; Tue, 28 Apr 2015 17:47:28 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2qNVgC4orzj; Tue, 28 Apr 2015 17:47:27 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.29.198]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BC6DDBDCC; Tue, 28 Apr 2015 17:47:27 +0100 (IST)
Message-ID: <553FB99F.5070609@cs.tcd.ie>
Date: Tue, 28 Apr 2015 17:47:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Bill Mills <wmills_92105@yahoo.com>, Benjamin Kaduk <kaduk@MIT.EDU>
References: <553F9DDB.4050401@cs.tcd.ie> <699427215.7347807.1430236125356.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <699427215.7347807.1430236125356.JavaMail.yahoo@mail.yahoo.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/6IRmIqJN4SJH-yRC-Ce97-nRSvM>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 16:48:06 -0000
On 28/04/15 16:48, Bill Mills wrote: > Again I disagree, this is *exactly* the same problem the HTTP host > header solves. The Host header field solves that problem for HTTP, but creates a problem for an authorization subsystem - if one piece of server side code checks an action the client wants to do vs. the Host header field and another makes that check vs. the new field that we're defining here then that opens a hole. And that error has been seen many times, so I don't believe you can just do a plug and play thing here safely, in general. > IMAP does not have anything that conveys hostname. > Port number might be known but hostname is not guaranteed. Added "The > server SHOULD validate that the host and port values match the > expected values for the service." to the end of the paragraph > discussing signature base strings where host and port are defined in > 3. I've no problem if you add the above but what I'm asking for is more like: "The server MUST validate that the host and port values defined here match any other application protocol data units or configured values that carry the same information. The details of how to do that match are application-specific and so cannot defined here, but implementers integrating these SASL mechanisms with applications need to ensure that such checks are made, where they are needed." Cheers, S.
- [kitten] AD review of draft-ietf-kitten-sasl-oaut… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Benjamin Kaduk
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Benjamin Kaduk
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Benjamin Kaduk
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Bill Mills
- Re: [kitten] AD review of draft-ietf-kitten-sasl-… Stephen Farrell