Re: [kitten] Barry Leiba's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)

Bill Mills <wmills_92105@yahoo.com> Tue, 26 May 2015 20:54 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FCC11B31B2 for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 13:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skFxfZKPzqoH for <kitten@ietfa.amsl.com>; Tue, 26 May 2015 13:54:55 -0700 (PDT)
Received: from nm49-vm1.bullet.mail.ne1.yahoo.com (nm49-vm1.bullet.mail.ne1.yahoo.com [98.138.121.129]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5408E1B3213 for <kitten@ietf.org>; Tue, 26 May 2015 13:51:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1432673508; bh=JOBroanwTK4i8tSh3pXCfvnsCtDizodwmkeAOf6z+Xo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=gVTes8ulOKxQ/eNZ5enaFzMO08kc1f9cGPjrBdoqtaG6a4Hodjki2uzO0m9Wibhf+kgpSONw48t0b0g+v55ucMph/i7n2CTfng0jiR5BnGQRRyfRjnwqEFoCtJnlTGYPdXzAAeYuQH+ZDIwPEv6RPVVuRnpYMmZ4vIbBM/PMbsQLlJ1cYJxxW5NUA/yV10y+SQVovd5e+cYAdflu+/Yyqghk7gmEbr4yr63SpjDpDtlpyiS31iupOUAa40rG5vY3GTmlbQx+42QqSyzjKr/G+7WEJO27zUyqGJiazODV2/HJyi9M0GUvLEoVjvaQaVgArj6axqcH9vKfiTXev5d9Tg==
Received: from [127.0.0.1] by nm49.bullet.mail.ne1.yahoo.com with NNFMP; 26 May 2015 20:51:48 -0000
Received: from [98.138.100.117] by nm49.bullet.mail.ne1.yahoo.com with NNFMP; 26 May 2015 20:49:08 -0000
Received: from [98.139.170.179] by tm108.bullet.mail.ne1.yahoo.com with NNFMP; 26 May 2015 20:49:08 -0000
Received: from [98.139.212.211] by tm22.bullet.mail.bf1.yahoo.com with NNFMP; 26 May 2015 20:49:07 -0000
Received: from [127.0.0.1] by omp1020.mail.bf1.yahoo.com with NNFMP; 26 May 2015 20:49:07 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 919816.36376.bm@omp1020.mail.bf1.yahoo.com
X-YMail-OSG: oYVjzlgVM1mpREoL_ZorTTMkhy.M5kWFYnlnVKpF5ks_P_RFYPUP2jUfjzJIax7 65tZKQ43wpoE5JWpeJb_GrH5xHEcXLitCQ1gz6RqGGW6cuHy4vs5kwtCj7uNdK0eEyjcv4fqP95R HR9.GR4_LB1jM9Sor4Fu398KCvJf4KNLB0Sim5tjQG7FgDE42XI.9Q92aBh0aBcAgo2p_CtutZWK YxJfjucuelL0ZhJeE14PJeQ._D54EuKcH6nyI9IqEgl7W9l4Ve1XKyY.jcU4IxHe1WWvBgAbsD4p m9Zlf2cI44OkLTLooPARpMa5TvhAUilpI4QKLape1xa4U11MV7j9bmkR8C9A12A5JgKHhWPpIopC AYSxdWOCRfwjc8dmnCZMXFlNpqNfkm6XuU1wqLESjwEgnQBSDtUoClZqhU_meo4.pUEn9vOnCsk2 3bMr4wMPAhHsonpuMJj88Y3_.0cfOqJNysdxrBnDxc9S6oNFa.dUh1PnoJhwhjMEy3R1M7FqP2jQ WXoL7xsChEtDB2qXUDYGJ
Received: by 76.13.26.136; Tue, 26 May 2015 20:49:07 +0000
Date: Tue, 26 May 2015 20:49:04 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
Message-ID: <513132564.2389503.1432673344504.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <20150526155734.22570.6165.idtracker@ietfa.amsl.com>
References: <20150526155734.22570.6165.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2389502_397118509.1432673344489"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Byido79G-If_ps38r4EmdrnQVDA>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "kitten-chairs@ietf.org" <kitten-chairs@ietf.org>, "draft-ietf-kitten-sasl-oauth.ad@ietf.org" <draft-ietf-kitten-sasl-oauth.ad@ietf.org>, "draft-ietf-kitten-sasl-oauth@ietf.org" <draft-ietf-kitten-sasl-oauth@ietf.org>, "draft-ietf-kitten-sasl-oauth.shepherd@ietf.org" <draft-ietf-kitten-sasl-oauth.shepherd@ietf.org>
Subject: Re: [kitten] Barry Leiba's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 20:54:59 -0000

> ----------------------------------------------------------------------> COMMENT:> ----------------------------------------------------------------------> > Another excellent, informative shepherd writeup, which helped with my review of the document.  (And, I'll say, most of the really useful writeups, as this one, seem to use the "essay" format, rather than the Q&A format.)  Thanks, Ben, for the writeup.> > -- Section 1 --> >    way to use the Simple Authentication and Security Layer (SASL)>    [RFC4422] to gain access to resources when using non-HTTP-based>    protocols, such as the Internet Message Access Protocol (IMAP)>    [RFC3501] and the Simple Mail Transfer Protocol (SMTP) [RFC5321],>    which is what this memo uses in the examples.> > When I first read this, I thought the last phrase was bound to SMTP...> but then I see that both IMAP and SMTP are used in the examples.  So, a small thing, but I'd end the sentence after the 5321 reference, and make the last phrase into another sentence, like, "This document gives examples of use in IMAP and SMTP."
WFM.  Done.
> > -- Section 2 --> >    Note that the IMAP SASL specification requires base64 encoding, see>    Section 4 of [RFC4648], not this memo.> > Nit: That seems kind of an odd way to put it, in addition to its having a comma splice.  Why not this?:> > NEW>    Note that the IMAP SASL specification requires base64 encoding, as>    specified in Section 4 of [RFC4648].> END
WFM. Done.
> > -- Section 3.2 --> Nit: "vaialble" -> "available"
Fixed
> > -- Section 3.2.2 --> >       scope (OPTIONAL):  An OAuth scope which is valid to access the>          service.  This may be omitted which implies that unscoped>          tokens are required.  If a scope is specified then a single>          scope is preferred, use of a space separated list of scopes is>          NOT RECOMMENDED.> > Why is it "NOT RECOMMENDED"?  What interoperability or security issue is in play here that makes this "SHOULD NOT"?
This isn't my preference for language, but some folks have concerns about usingmultiple scopes and how that all gets resolved and whether the client needs to understand scope strings to determine if they already have the scope they need.

> >          The server MAY return different URLs for users in>          different domains and the client SHOULD NOT cache a single>          returned value and assume it applies for all users/domains that>          the server suports.  The returned discovery document SHOULD>          have all data elements required by the OpenID Connect Discovery>          specification populated.> > Similar questions for the SHOULD NOT and SHOULD here.  In this case, I don't understand why they aren't "MUST NOT" and "MUST": for the first, I don't understand how a client can interoperate with a server if it violates this, and for the second, if they data elements are "required", why isn't including them a "MUST"?
There are implementations now that don't support Dynamic Client Reg. and requiring it would make no sense for them.
> > (Nit: The "if available" at the end of the paragraph is unnecessary; if one is not available, it certainly can't be used.)
We were leaving the door open for other discovery mechanisms so that this isn't MTI if there are other options.
> > -- Section 4.1 --> >    The>    underlying TLS establishment is not shown but is required for using>    Bearer Tokens per that specification.> >    S: * OK IMAP4rev1 Server Ready>    C: t0 CAPABILITY>    S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR>    S: t0 OK Completed> > The problem with this is that if the underlying TLS establishment is done through STARTTLS on port 143, that would come between the first line ("S:> * OK IMAP4rev1 Server Ready") and the second.  And that makes the example a bit odd.  The easiest way out of that is simply to remove the first line.  Or, better, to replace the first line with something like "[Initial connection and TLS establishment...]".  (This applies to the subsequent sections as well.)
WFM.
> > I wonder why you don't wrap the decoded payload here the same way you do in Section 4.2 (or there the same as here).  I suggest that there'd be less room for any confusion if you did them all (4.3 also) the same way (I don't care which way you choose).
Because the example for SMTP is wrong and I hadn't noticed that.  Fixing the port number and including the decoded text.
> > In the SMTP part, you say this:> >    Note>    that line breaks are inserted for readability, and that the SMTP>    protocol terminates lines with CR and LF characters (ASCII values>    0x0D and 0x0A), these are not displayed explicitly in the example.> > The same is true for the IMAP protocol and example, but you don't say this there.  Actually, I don't think you need to say it in either place, and suggest simply removing it here (and in Section 4.4).
Done
> > -- Section 4.4 --> In the SMTP protocol, you should have "[Negotiate TLS...]" before the SMTP AUTH command, as you do in Section 4.1.
Done> 
Changes committed to my working copy of the pending -23, which can be found at https://github.com/sweetums/idrafts/commit/98314659561cdfed59d39ac0e193f09f93a75da3
Thank you.
-bill
 



     On Tuesday, May 26, 2015 8:57 AM, Barry Leiba <barryleiba@computer.org> wrote:
   

 Barry Leiba has entered the following ballot position for
draft-ietf-kitten-sasl-oauth-22: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Another excellent, informative shepherd writeup, which helped with my
review of the document.  (And, I'll say, most of the really useful
writeups, as this one, seem to use the "essay" format, rather than the
Q&A format.)  Thanks, Ben, for the writeup.

-- Section 1 --

  way to use the Simple Authentication and Security Layer (SASL)
  [RFC4422] to gain access to resources when using non-HTTP-based
  protocols, such as the Internet Message Access Protocol (IMAP)
  [RFC3501] and the Simple Mail Transfer Protocol (SMTP) [RFC5321],
  which is what this memo uses in the examples.

When I first read this, I thought the last phrase was bound to SMTP...
but then I see that both IMAP and SMTP are used in the examples.  So, a
small thing, but I'd end the sentence after the 5321 reference, and make
the last phrase into another sentence, like, "This document gives
examples of use in IMAP and SMTP."

-- Section 2 --

  Note that the IMAP SASL specification requires base64 encoding, see
  Section 4 of [RFC4648], not this memo.

Nit: That seems kind of an odd way to put it, in addition to its having a
comma splice.  Why not this?:

NEW
  Note that the IMAP SASL specification requires base64 encoding, as
  specified in Section 4 of [RFC4648].
END

-- Section 3.2 --
Nit: "vaialble" -> "available"

-- Section 3.2.2 --

      scope (OPTIONAL):  An OAuth scope which is valid to access the
        service.  This may be omitted which implies that unscoped
        tokens are required.  If a scope is specified then a single
        scope is preferred, use of a space separated list of scopes is
        NOT RECOMMENDED.

Why is it "NOT RECOMMENDED"?  What interoperability or security issue is
in play here that makes this "SHOULD NOT"?

        The server MAY return different URLs for users in
        different domains and the client SHOULD NOT cache a single
        returned value and assume it applies for all users/domains that
        the server suports.  The returned discovery document SHOULD
        have all data elements required by the OpenID Connect Discovery
        specification populated.

Similar questions for the SHOULD NOT and SHOULD here.  In this case, I
don't understand why they aren't "MUST NOT" and "MUST": for the first, I
don't understand how a client can interoperate with a server if it
violates this, and for the second, if they data elements are "required",
why isn't including them a "MUST"?

(Nit: The "if available" at the end of the paragraph is unnecessary; if
one is not available, it certainly can't be used.)

-- Section 4.1 --

  The
  underlying TLS establishment is not shown but is required for using
  Bearer Tokens per that specification.

  S: * OK IMAP4rev1 Server Ready
  C: t0 CAPABILITY
  S: * CAPABILITY IMAP4rev1 AUTH=OAUTHBEARER SASL-IR
  S: t0 OK Completed

The problem with this is that if the underlying TLS establishment is done
through STARTTLS on port 143, that would come between the first line ("S:
* OK IMAP4rev1 Server Ready") and the second.  And that makes the example
a bit odd.  The easiest way out of that is simply to remove the first
line.  Or, better, to replace the first line with something like
"[Initial connection and TLS establishment...]".  (This applies to the
subsequent sections as well.)

I wonder why you don't wrap the decoded payload here the same way you do
in Section 4.2 (or there the same as here).  I suggest that there'd be
less room for any confusion if you did them all (4.3 also) the same way
(I don't care which way you choose).

In the SMTP part, you say this:

  Note
  that line breaks are inserted for readability, and that the SMTP
  protocol terminates lines with CR and LF characters (ASCII values
  0x0D and 0x0A), these are not displayed explicitly in the example.

The same is true for the IMAP protocol and example, but you don't say
this there.  Actually, I don't think you need to say it in either place,
and suggest simply removing it here (and in Section 4.4).

-- Section 4.4 --
In the SMTP protocol, you should have "[Negotiate TLS...]" before the
SMTP AUTH command, as you do in Section 4.1.


_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten