Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 28 April 2015 16:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23EC01B2A30 for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2015 09:48:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G24sM1NZ30xV for <kitten@ietfa.amsl.com>; Tue, 28 Apr 2015 09:48:05 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240181B2A35 for <kitten@ietf.org>; Tue, 28 Apr 2015 09:47:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E5221BDD8; Tue, 28 Apr 2015 17:47:28 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2qNVgC4orzj; Tue, 28 Apr 2015 17:47:27 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.29.198]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BC6DDBDCC; Tue, 28 Apr 2015 17:47:27 +0100 (IST)
Message-ID: <553FB99F.5070609@cs.tcd.ie>
Date: Tue, 28 Apr 2015 17:47:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Bill Mills <wmills_92105@yahoo.com>, Benjamin Kaduk <kaduk@MIT.EDU>
References: <553F9DDB.4050401@cs.tcd.ie> <699427215.7347807.1430236125356.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <699427215.7347807.1430236125356.JavaMail.yahoo@mail.yahoo.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/6IRmIqJN4SJH-yRC-Ce97-nRSvM>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 16:48:06 -0000


On 28/04/15 16:48, Bill Mills wrote:
> Again I disagree, this is *exactly* the same problem the HTTP host
> header solves.  

The Host header field solves that problem for HTTP, but creates a
problem for an authorization subsystem - if one piece of server
side code checks an action the client wants to do vs. the Host
header field and another makes that check vs. the new field that
we're defining here then that opens a hole. And that error has
been seen many times, so I don't believe you can just do a plug
and play thing here safely, in general.

> IMAP does not have anything that conveys hostname.
> Port number might be known but hostname is not guaranteed. Added "The
> server SHOULD validate that the host and port values match the
> expected values for the service." to the end of the paragraph
> discussing signature base strings where host and port are defined in
> 3.

I've no problem if you add the above but what I'm asking for is
more like: "The server MUST validate that the host and port values
defined here match any other application protocol data units or
configured values that carry the same information. The details of
how to do that match are application-specific and so cannot defined
here, but implementers integrating these SASL mechanisms with
applications need to ensure that such checks are made, where they
are needed."

Cheers,
S.