Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21

Bill Mills <> Thu, 30 April 2015 15:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 45C831B2CEA for <>; Thu, 30 Apr 2015 08:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.109
X-Spam-Status: No, score=-0.109 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XF2R-v7gJY-1 for <>; Thu, 30 Apr 2015 08:50:13 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F26A21B2CFA for <>; Thu, 30 Apr 2015 08:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1430409011; bh=cUoOGfpk7l2TDYyuntDwDHYJoV+ZrQLNcFqgkEHQ/qs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Uh2vj5IZPfbS146Av+/KEbZDfVGZc643HUvfYSkHLyeWtw4RXTIvUxsO0i4WRMrpZ3Jj165qPfqsc34+3eqN79PgDho6IHxyCfi5bOVuAQqGjyPsM1hu21cEuy6//gUZmDHDyMIOwnYH4BuJq1ISCqRtIzZfjBgQu6F2LfBMOgZbRBrC6PExrMjp5PW/AxxITVR5cDE2XhzPfl8LcSzSG/xXioOJXQRatkv7PK/IBmNRuCt68mLL8VLFBqH6ET9SAKhS9sF/mQ67SpB8mNHLkrZVrOdYDM8unBJvfVYb/4UR8aAtlixzUVev6J0qCE+b6zw+ZwLC+evTpTBSs3sEew==
Received: from [] by with NNFMP; 30 Apr 2015 15:50:11 -0000
Received: from [] by with NNFMP; 30 Apr 2015 15:50:11 -0000
Received: from [] by with NNFMP; 30 Apr 2015 15:50:11 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: LjMVFbwVM1m3ku92NtwYIgOVyN3yI5oASPu0x02Htys7Z42kg10NSqdiJ3gPw9d BXvdU95dCuTy5ETUfSK_x3ZbBGKC6k1B7NO2IkT0PhcoCCjkC8.tcsMB6zOrYnzPRn4z.kt2hhc4 MHqSEziCZhN1MsqcJOmrxfsbO8La65D2wbtvOC8_L5LgMwYo6kUmJpZ2GUJIsmm6S9kRWFiunRDq ttGiPB5KP.frx3fd56W5xattpKwxLxZLQ6pctGWCbqd3wassbl6BWC3TirYKnLL89WBwTY7KaHta 7yhdRDdfGHM_I26cKuQ7yGK3wnwlDG34TNtfR7YiEu4LIuPL3QVfznt8.IA0jSDIgA0K26tQiZGT w7__5aG22h7GbsiFHH9ivYrySJVgBRtoUd0o9u_6Th_ECux717Eg7ukPkC.p89MYDah9BXwLLI5D JmI2viyq7C8u5GYzn_UMpFlCi93Vtohbw71UVxdkWh10_OUH.KkudkgIdJNuSvL4gBamV.MkzqP7 iyC1SEw--
Received: by; Thu, 30 Apr 2015 15:50:10 +0000
Date: Thu, 30 Apr 2015 15:50:09 +0000 (UTC)
From: Bill Mills <>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1674380_206468600.1430409009807"
Archived-At: <>
Cc: "" <>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Apr 2015 15:50:14 -0000

I prefer the IMAP example because it ties in to the rest of the doc cleanly.  I'll update it that way and get copy out today.  

     On Thursday, April 30, 2015 7:39 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:

 On Wed, 29 Apr 2015, Bill Mills wrote:

> Everything up to the concrete example works for me.  The example is
> vaporware, I'd rather use a concrete one or leave it out.

I think the SNI example is a concrete example, in that it is very clear
which values are to be compared.  The fact that it is not a comparison
which is performed by any extant software is a different issue.

To continue along those lines, we frequently publish specifications that
have not been (fully) implemented; I see our duty as to publish documents
that say what should be done for correct and secure (inter)operation.  I
recognize that not all checks are always implemeted everywhere, but that
does not free us of our obligation to write documents containing all the
security checks that we believe are relevant.  So, I believe that this
text is useful and correct, and do not see merit in the objection raised
thus far.

However, I am not particularly tied to this particular example, and if you
still wish to replace it with a different example (such as the one Stephen
mentioned off-list, of an IMAP server configured only to serve
that should reject client response claiming to be for, I can
accept that for the goal of moving the document forward.