[kitten] Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)

"Joel Jaeggli" <joelja@bogus.com> Mon, 25 May 2015 15:57 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CDD81A9250; Mon, 25 May 2015 08:57:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iyDPTdZuNRGI; Mon, 25 May 2015 08:57:53 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2731A924B; Mon, 25 May 2015 08:57:53 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Joel Jaeggli" <joelja@bogus.com>
To: "The IESG" <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150525155753.4748.29014.idtracker@ietfa.amsl.com>
Date: Mon, 25 May 2015 08:57:53 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Bm2ZbSYfqHNTCz2mTHNOaMMulyQ>
Cc: kitten-chairs@ietf.org, draft-ietf-kitten-sasl-oauth.shepherd@ietf.org, kitten@ietf.org, draft-ietf-kitten-sasl-oauth@ietf.org, draft-ietf-kitten-sasl-oauth.ad@ietf.org
Subject: [kitten] Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 15:57:55 -0000

Joel Jaeggli has entered the following ballot position for
draft-ietf-kitten-sasl-oauth-22: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

SASL mechanisms using this document as their definition do not
   provide a data security layer; that is, they cannot provide integrity
   or confidentiality protection for application messages after the
   initial authentication.  If such protection is needed, TLS or some
   similar solution should be used.  Additionally, for the two
   mechanisms specified in this document, TLS MUST be used for
   OAUTHBEARER to protect the bearer token; for OAUTH10A the use of TLS
   is RECOMMENDED.

Can someone explain to me situation were intergrity protection is not
desirable (possibly rhetorical). it seems like it might be better to
clarify what the exception is and use a blanket must for everything else.