Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...
Simon Josefsson <simon@josefsson.org> Wed, 04 April 2012 07:47 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E1321F85B1 for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 00:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.661
X-Spam-Level:
X-Spam-Status: No, score=-99.661 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTe6l0rL9oGf for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 00:47:54 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id 4C57C21F85AE for <kitten@ietf.org>; Wed, 4 Apr 2012 00:47:53 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q347ldg3009031 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 4 Apr 2012 09:47:41 +0200
From: Simon Josefsson <simon@josefsson.org>
To: William Mills <wmills@yahoo-inc.com>
References: <1333498239.81695.YahooMailNeo@web31804.mail.mud.yahoo.com> <1333501139.69852.YahooMailNeo__42841.0879838795$1333501152$gmane$org@web31807.mail.mud.yahoo.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:120404:kitten@ietf.org::iNgWwDyOUyoXaWvj:Ls4h
X-Hashcash: 1:22:120404:wmills@yahoo-inc.com::Uxv9lfh7wRvylGhi:0bcrJ
Date: Wed, 04 Apr 2012 09:47:38 +0200
In-Reply-To: <1333501139.69852.YahooMailNeo__42841.0879838795$1333501152$gmane$org@web31807.mail.mud.yahoo.com> (William Mills's message of "Tue, 3 Apr 2012 17:58:59 -0700 (PDT)")
Message-ID: <87wr5wq6p1.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 07:47:55 -0000
William Mills <wmills@yahoo-inc.com> writes: > The major question remaining for my draft is HTTP(like) or not for the > SASL message format? Please select one of the following: > > > A) The current message format is fine. > B) HTTP-like is OK as long as we limit the insanity. > C) HTTP in any form is a deal breaker for me. Give me something simple. > D) None of the above, and I have a possible solution of my own to propose. > > For B above it's likely that we'd say something like "The server MUST > parse the Host, User, and Authorization headers and the server MAY > discard anything else. The client MUST NOT use any HTTP extensions > such as compression and pipelining, and SHOULD NOT use line > continuations." > > Thanks in advance for the input, To get informed answers, I think we need to understand the implications of each answer. Let's say we invent a new format for SASL OAUTH. How much of a problem would that really be? Where would the complexity related to HTTP have to be implemented? Is it the server that would need to parse HTTP and transform it to something simpler? Is the client completely shielded? Looking at history, I believe one of the main reasons DIGEST-MD5 didn't quickly replace CRAM-MD5 was that DIGEST-MD5 was so complicated to implement interoperable, and that was primarily because it re-used HTTP syntax. So I don't think this is just a pet issue, it seems that if SASL wire syntax is too complicated, things won't get implemented. If I were to express a preference now I would lean towards B). However, if the implications of C) are not severe, I think it would make sense to use a simpler format. Then it becomes much easier to implement and analyse what goes on over the SASL wire. Without a good rationale, I would be strongly opposed to free-form HTTP as the SASL syntax. /Simon
- [kitten] Feedback from IETF #83 on the OAUTH/SASL… William Mills
- [kitten] OAUTH/SASL... to HTTP or not to HTTP, th… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Nico Williams
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Matt Peterson