IETF Logo Mail Archive

Re: [kitten] Pending draft 15 Re: sasl-oauth "user" as a kvpair or in the gs2 header?

Ryan Troll <rtroll@googlers.com> Mon, 17 March 2014 17:14 UTC

Return-Path: <rtroll@google.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 864081A043A for <kitten@ietfa.amsl.com>; Mon, 17 Mar 2014 10:14:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.325
X-Spam-Level:
X-Spam-Status: No, score=-1.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lN-BgmiuUFmq for <kitten@ietfa.amsl.com>; Mon, 17 Mar 2014 10:14:50 -0700 (PDT)
Received: from mail-qa0-x22b.google.com (mail-qa0-x22b.google.com [IPv6:2607:f8b0:400d:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id F1E1F1A0432 for <kitten@ietf.org>; Mon, 17 Mar 2014 10:14:49 -0700 (PDT)
Received: by mail-qa0-f43.google.com with SMTP id j15so5584043qaq.2 for <kitten@ietf.org>; Mon, 17 Mar 2014 10:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlers.com; s=googlers; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zhZod8e5VByFFIOQE1lmfbC/0t3ejwaAJw3U8e8CBls=; b=VOlyf5E2atOIQJr+F3v8ODQWG7vN3WMXKvqgqwj/9va7f4ZdTfU53FCIwpwgLyde0p i4Lp+2w/7icW1fKi9jc4HItVXKaDMLQijXe5A5p1QbS886973eKhLE3umnzS5C7hLuYn U2M7VQ+ccP+VjnFpQmGf8B1fEn9q6Kp+fgRj4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zhZod8e5VByFFIOQE1lmfbC/0t3ejwaAJw3U8e8CBls=; b=FkrweeUA89ick199BD0iFRGY4povZ63v3DFP9T3ez13cwRnHw2oHK1sh6F/8P0lCYY JRtZw1hvN040e7sG6g7Z405k73B++fauMlO+peLLXnME1O4PCHnJO3r/u2xsgzPmfz2o kq+6ecUnw7LOrbHeihtpqDfSMLakh1EMtfgyCUb8DfXZYpPVDqhEe5Cyp6pPH8sFssBr vUWUd56mVZGFmRVNI6X7Iz7QCCIz4GvMRrbRK/YtSQHdnVUSRuUMiLwHzHTQXQdGg1Fe zoRJ+cEtUN3+kcu0gWd+JVUtsllLasCOy7Pxm6uy0sK9gHSP5Ct4GFsShqgpl1ffjAZJ Jhzw==
X-Gm-Message-State: ALoCoQlul5tpY+W5ZmmrZDvBSkOcZoMaoDcn+vzc1HZrDLpdaiqs9OULgPTLG+mMayMDzF6mKT4klJLqb63evXujRYf75XGWJuU02VEkDxMX1Qfhkkug5fHsQIx5/mqrRYmS9FhfaGSGAPFt1AG7WNc854GPRby+9x+zdzIb3Z7qq4lar43X1qh62+bgx27nL09NcorKudjQ
MIME-Version: 1.0
X-Received: by 10.224.115.68 with SMTP id h4mr29510696qaq.35.1395076481461; Mon, 17 Mar 2014 10:14:41 -0700 (PDT)
Received: by 10.229.205.197 with HTTP; Mon, 17 Mar 2014 10:14:41 -0700 (PDT)
In-Reply-To: <1394833947.5753.YahooMailNeo@web142802.mail.bf1.yahoo.com>
References: <1393869321.174.YahooMailNeo@web125602.mail.ne1.yahoo.com> <tslr46j2kbm.fsf@mit.edu> <1393875779.29082.YahooMailNeo@web125604.mail.ne1.yahoo.com> <tsld2i21j7u.fsf@mit.edu> <1393926562.54403.YahooMailNeo@web125603.mail.ne1.yahoo.com> <1393948558.69282.YahooMailNeo@web125602.mail.ne1.yahoo.com> <CAPe4Cjoh7n-cQAuy17MWs66wigqTQvGBVVtEJ0_3zjaSg-5JmQ@mail.gmail.com> <1394650561.77489.YahooMailNeo@web142801.mail.bf1.yahoo.com> <1394833947.5753.YahooMailNeo@web142802.mail.bf1.yahoo.com>
Date: Mon, 17 Mar 2014 10:14:41 -0700
Message-ID: <CAPe4CjrQK+6EFyNCuj5t9OknLOMacH=XiW1Aq6R1nf9Vy2d=5Q@mail.gmail.com>
From: Ryan Troll <rtroll@googlers.com>
To: Bill Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="047d7bdc7fc61cc83a04f4d08e92"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/DN9oLEtJZD0lAPDDCbP6-u2M2iw
Cc: "kitten@ietf.org" <kitten@ietf.org>, Bill Mills <wmills@yahoo-inc.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [kitten] Pending draft 15 Re: sasl-oauth "user" as a kvpair or in the gs2 header?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 17:14:52 -0000

Seems reasonable.

The last sentence contains two typos.

-R


On Fri, Mar 14, 2014 at 2:52 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

> Quoting here, in the hope that it piques someone's interest.  New proposed
> language is:
>
> " Client responses are a GS2 [RFC5801]<https://us-mg904.mail.yahoo.com/neo/launch?.rand=3v2pmo26m8nhi#RFC5801>
>  header followed by a key/value pair sequence, or may be empty. The
> gs2-header is defined here for compatibility with GS2 if a GS2 mechanism is
> formally defined, but this document does not define one. These key/value
> pairs carry the equivalent values from an HTTP context in order to be able
> to complete an OAuth style HTTP authorization. Unknown key/value pairs MUST
> be ignored by the server. The ABNF [RFC5234]<https://us-mg904.mail.yahoo.com/neo/launch?.rand=3v2pmo26m8nhi#RFC5234>
>  syntax is:
>
>
>   kvsep          = %x01
>   key            = 1*(ALPHA / ",")
>   value          = *(VCHAR / SP / HTAB / CR / LF )
>   kvpair         = key "=" value kvsep
> ;;gs2-header     = See RFC 5801
>   client_resp    = (gs2-header kvsep 0*kvpair kvsep) / kvsep
>
> The GS2 header MUST inclde the user name asociated with the resource being
> accessed, the "authzid"."
>
> Hoping to wrap this up soon.
>
> Thanks,
>
> -bill
>
>
>
>   On Wednesday, March 12, 2014 11:56 AM, Bill Mills <
> wmills_92105@yahoo.com> wrote:
>  Please take a look at the attached, specifically 3.1, and see if it
> captures what's been discussed.
>
> Thanks,
>
> -bill
>
>
>   On Thursday, March 6, 2014 3:38 PM, Ryan Troll <rtroll@googlers.com>
> wrote:
>  Apologies for the delay in responding.
>
> I understand this was discussed in today's meeting; and we're going to
> have a follow-up to discuss further - very reasonable.
>
> To answer Bill's original question: user= or a= --> Either works for us.
>  If one has better implications than the other, we'll use it.
>
> -R
>
>
>
> On Tue, Mar 4, 2014 at 7:55 AM, Bill Mills <wmills@yahoo-inc.com> wrote:
>
>
> It is not used as a SASL identity.  Quoting from -03 and -14 in progress:
> "user (REQUIRED):
> Contains the user name being authenticated. The server MAY use this as a
> routing or database lookup hint. The server MUST NOT use this as
> authoritative, the user name MUST be asserted by the OAuth credential."
>
> Also, looking at the Google API docs for XOAUTH2, they implemented based
> on the -03 spec and have the "user=$username" syntax.  See
> https://developers.google.com/gmail/xoauth2_protocol
>
> Based on Google's server API and the extant clients they have I'd like to
> ask for a consensus call on the following:
>
> 1) Add the -03 "user" kvpair back into the spec.
>
> a) YES or b) NO.
>
> 2) Should we include a GS2 header"
>
> a) No, let's wait for the GS2 update that deals with things that lack
> mutual auth and then write a spec that defines a GS2 header for SASL+OAUTH.
>
> b) Change the definition of "key" in kvpair to 1*(ALPHA / ",").  This
> makes a GS2 header followed by a ^A (i.e. "n,a=user@example.com^A") a
> valid kvpair which would be ignored by servers that don't understand it.
>
> c) Define a stub OPTIONAL GS2 header explicitly.
>
> d) Include a fully defined GS2 header (language from draft -10).
>
>
> My own feedback is 1: YES, 2: a or b.
>
> -bill
>
>
> --------------------------------
> William J. Mills
> "Paranoid" MUX Yahoo!
>
>
>
>   On Tuesday, March 4, 2014 12:06 AM, Sam Hartman <hartmans-ietf@mit.edu>
> wrote:
>  t's discuss Thursday.
> I'd like to understand what the user= value signifies and whether it's
> actually a SASL authorization identifier.
>
> I'd like to understand whether there's value in an unprotected SASL
> authorization identifier.
>
>
>
>
>
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>
>
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>
>
>
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>
>
>

v2.30.2 | Report a Bug | By Email | System Status