Re: [kitten] Updating OAuth SASL
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 22 November 2012 14:38 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCEE21F8596 for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 06:38:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDpPR8VSoIV9 for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 06:38:53 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 5E07E21F8B1F for <kitten@ietf.org>; Thu, 22 Nov 2012 06:38:53 -0800 (PST)
Received: (qmail invoked by alias); 22 Nov 2012 14:38:51 -0000
Received: from unknown (EHLO [10.255.131.102]) [194.251.119.201] by mail.gmx.net (mp030) with SMTP; 22 Nov 2012 15:38:51 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+ZuslKVsWZ9i2dtIkzsn/GbsX0CprhgCrlfalVd3 aLX04GJD35p2jJ
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <1353372782.48256.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Thu, 22 Nov 2012 16:38:49 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <E53F19E5-1665-4D0F-8C78-168081B29833@gmx.net>
References: <841A324B-C22C-4FB6-9D62-9CF0430BD940@gmx.net> <1353372782.48256.YahooMailNeo@web31804.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>, Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: kitten@ietf.org
Subject: Re: [kitten] Updating OAuth SASL
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Nov 2012 14:38:55 -0000
Hi Bill, Hi Alexey, I am wondering whether we couldn't just re-use the text we have in the SASL OpenID specification. Here is the relevant text from Section 4.1 of RFC 6616: ---- 4.1. GSS-API Principal Name Types for OpenID OpenID supports standard generic name syntaxes for acceptors such as GSS_C_NT_HOSTBASED_SERVICE (see Section 4.1 of [RFC2743]). OpenID supports only a single name type for initiators: GSS_C_NT_USER_NAME. GSS_C_NT_USER_NAME is the default name type for OpenID. OpenID name normalization is covered by the OpenID specification; see Section 7.2 of [OpenID]. The query, display, and exported name syntaxes for OpenID principal names are all the same. There are no OpenID-specific name syntaxes -- applications should use generic GSS-API name types such as GSS_C_NT_USER_NAME and GSS_C_NT_HOSTBASED_SERVICE (see Section 4 of [RFC2743]). The exported name token does, of course, conform to Section 3.2 of [RFC2743], but the "NAME" part of the token should be treated as a potential input string to the OpenID name normalization rules. For example, the OpenID Identifier "https://openid.example/" will have a GSS_C_NT_USER_NAME value of "https://openid.example/". GSS-API name attributes may be defined in the future to hold the normalized OpenID Identifier. ------- Of course instead of talking about OpenID identifiers (as URIs) we would be talking about resource owner identifiers, for example, the "Principal" defined in Section 4.1.6 of JWT (in case a JSON-based structure is used to encode information, as it was done with OpenID Connect). Note that the JWT spec does not define the syntax of the principal identifier. Section 3.2.1 and Section 3.2.2 of the current OAuth SASL draft would be impacted. Does this sound reasonable? Ciao Hannes On Nov 20, 2012, at 2:53 AM, William Mills wrote: > We can strike that second sentence if you want, it was there to try to clarify, and if it's not doing that kill it. > > > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> > To: kitten@ietf.org > Sent: Sunday, November 18, 2012 11:43 PM > Subject: [kitten] Updating OAuth SASL > > Hi all, > > I have incorporated Alexey's comments into the draft and also my own earlier review comments. > Here is the current snapshot: > https://github.com/hannestschofenig/tschofenig-ids/blob/master/sasl-oauth/draft-ietf-kitten-sasl-oauth-09.txt > > There is one issue that Alexey raised, which I still have to understand better myself, namely: > > ----- > > 3.2.2. Canonicalization > > The identity asserted by the OAuth authorization server is canonical > for display. The server MAY provide a different canonical form based > on local data. > > I don't understand the second sentence. SASL server? How can it do that? > > ------ > > Ciao > Hannes > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > >
- [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL Alexey Melnikov
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig