Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
Bill Mills <wmills@yahoo-inc.com> Wed, 18 December 2013 01:25 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1881ADF80 for <kitten@ietfa.amsl.com>; Tue, 17 Dec 2013 17:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.92
X-Spam-Level:
X-Spam-Status: No, score=-16.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-9oB4q56OU3 for <kitten@ietfa.amsl.com>; Tue, 17 Dec 2013 17:25:06 -0800 (PST)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by ietfa.amsl.com (Postfix) with ESMTP id E466B1ADFA4 for <kitten@ietf.org>; Tue, 17 Dec 2013 17:25:06 -0800 (PST)
Received: from BF1-EX10-CAHT05.y.corp.yahoo.com (bf1-ex10-caht05.corp.bf1.yahoo.com [10.74.209.60]) by mrout3.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id rBI1OYSf010868 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <kitten@ietf.org>; Tue, 17 Dec 2013 17:24:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1387329876; bh=05EsTYBPHRANhC2iFhH6XPepqhHhE3Q9m2xS3DaiD4w=; h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To: MIME-Version:Content-Type; b=xWitPYX3y0lbTaKR+sOGtTJch2fmi8yigKhdZ7cRCSshi3CI+mKQjhBYFEQvJVGzx bV8o5MWpTHeHtP8OKs02a+6NLbr8+jVbNesPAmYzihQC05VnOQce6Trp8yUgFQmurf JOT0ZDnGiqERanPXdqBBlzQzcHWpUoM19d+3Vk/g=
Received: from omp1050.mail.ne1.yahoo.com (98.138.89.192) by BF1-EX10-CAHT05.y.corp.yahoo.com (10.74.209.170) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 17 Dec 2013 17:25:12 -0800
Received: (qmail 22218 invoked by uid 1000); 18 Dec 2013 01:24:33 -0000
Received: (qmail 51764 invoked by uid 60001); 18 Dec 2013 01:24:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1387329873; bh=Z8k1RhZ3gARB6/z+FbqzEOEvr75FWoTnTh+rYrVD/Is=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=EVsamA5FUbBvfJysBvXNqg+qmSKP0pP6ED1mp040v7eWBRjfoiaz/24UPEXFaoAZ7dVYaRjMzrzBXI+Icvtdu4mEeR8XO6NJD89JRangVMQvUwMN0ayCxEHDkZDjiT/AZazUM517f3chSJke2+wQ7WFkEZjwv/+0ONPB/XBI2/I=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=AZ722gzbiW4CXsFb2LdC1wCQUyB7paiIaeJrielKnLhG+5U+k8UiqDLWQ4paQ7MvYrD3zEG539r2KShzFSZ8wdO3m0kx3VdbphmB75S0hDmIaQlLfvvDVtb9uuBQyc7PsRdMP1BxE7jtjPlWD//CCOrSwDePKPxwmThDiHNk6x8=;
X-YMail-OSG: D4tHi4IVM1m6.pRCt3_0LwzdzkDkrna7J29UgYE_.YzDpp4 JVbZfjDL.jNVGMjPorynrDGONhBP_JL2a4qpw50qEvSGiIkx1_kWoSizKq_J 1KxwuepPXYNn06dLteJS8gYIeHyMxnnhXLF_rOruB0IxyHGf2YrsWJZp1Txt bLh_Zqx5EU8z_9lX98hnajc.prOKz43ajIeij.XZt9.CEAe1H5v4yl2pL_BZ 3R9zRSALnz8dqr6H2KlefKrHsrqeKt89vctyd6IzNC7h_Ic7E_BDS0BoCgJE GtNYM6izLxgTJbJBs5QNCx2US
Received: from [209.131.62.113] by web125604.mail.ne1.yahoo.com via HTTP; Tue, 17 Dec 2013 17:24:33 PST
X-Rocket-MIMEInfo: 002.001, SW5saW5lIGJlbG93LsKgIEkgbmVlZCB0byBmaXggdGhlIGV4YW1wbGVzIGFzIHlvdSBub3RlLgoKCsKgCi1iaWxsCgoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCldpbGxpYW0gSi4gTWlsbHMKIlBhcmFub2lkIiBZYWhvbyEKCgoKCgpPbiBUdWVzZGF5LCBEZWNlbWJlciAxNywgMjAxMyAyOjQ3IFBNLCBNYXR0IE1pbGxlciAobWFtaWxsZTIpIDxtYW1pbGxlMkBjaXNjby5jb20.IHdyb3RlOgogCk9uIERlYyAxNSwgMjAxMywgYXQgMTE6MTUgUE0sIFNoYXduIE0gRW1lcnkgPHNoYXduLmVtZXIBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.170.612
References: <52AE9A65.1010700@oracle.com> <C2752600-AC7C-4839-8BD0-3D850ECB19EB@cisco.com>
Message-ID: <1387329873.35383.YahooMailNeo@web125604.mail.ne1.yahoo.com>
Date: Tue, 17 Dec 2013 17:24:33 -0800
From: Bill Mills <wmills@yahoo-inc.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>, Shawn M Emery <shawn.emery@oracle.com>, "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <C2752600-AC7C-4839-8BD0-3D850ECB19EB@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-685807438-107077065-1387329873=:35383"
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 329875000
Subject: Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2013 01:25:09 -0000
Inline below. I need to fix the examples as you note. -bill -------------------------------- William J. Mills "Paranoid" Yahoo! On Tuesday, December 17, 2013 2:47 PM, Matt Miller (mamille2) <mamille2@cisco.com> wrote: On Dec 15, 2013, at 11:15 PM, Shawn M Emery <shawn.emery@oracle.com> wrote: > > This message officially starts the 2nd kitten Working Group Last Call for the following document: > > A set of SASL Mechanisms for OAuth > http://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-12 > > The Working Group Last Call for this document starts today on Sunday, December 15th and will end on Tuesday, December 31st. > > Please send any comments to the kitten mailing list or directly to the chairs. Even if you reviewed this document and found no issues then please provide this feed-back. > Here are my current comments on this draft (more might come later): MAJOR: * Removing the GS2-header (which was done in revision -11) also removed the ability for the client to specify an authorization identity. If the lack of an authorization identity is acceptable (and I suspect it is not for some), then the document needs to state these mechanisms do not support authz-id. [wmills] This is addressed in 3.2.1 of -12 authz-id is possible in some OAuth schemes. * In section 3.2.2. Server Response to Failed Authentication, returning a space-separated list for the "scope" field is NOT RECOMMENDED, but also says the lack of a "scope" (value or field) implies the client SHOULD request tokens that are unscoped (empty list of scopes). However, RFC 6749 § 3.3 does not permit unscoped tokens; the ABNF does not allow for "scope=" (i.e., the empty list), and the text regarding the lack of scope means the authorization server uses a default scope value (or fails authorization outright). To me, this seems like a contradiction that would lead to interoperability problems. [wmills] "scope" is an optional parameter, so if you want an empty value you don't send scope at all. MINOR: * In section 2. Terminology, it does not explicitly state that the reader ought to be familiar with terminology from RFC 4422. This should be added. [wmills] OK * In section 3.2.2. Server Response to Failed Authentication, the last paragraph still discusses channel binding. It should be removed. [wmills] OK * All of the examples include a gs2-header, but this was removed from the ABNF. The examples need to be updated to remove the header. * In section 8.1. Normative References, there is an entry for RFC 5056, but this reference is no longer used in the document. It should be removed. [wmills] OK NITS: * HTTP is mentioned but no citation or definition is included. * XMPP is mentioned but no citation or definition is included. [wmills] OK x2 * In section 1. Introduction, SMTP is mentioned with a citation but without a definition (unlike SASL and IMAP immediately preceding). [wmills] I see "SMTP [RFC5321]" there * In section 3. OAuth SASL Mechanism Specifications, the two lists describing success and failure flows are in fact ordered (numbered), but the document presents them as unordered (symbols). [wmills] OK * In section 3.2.2. Server Response to Failed Authentication, replace [[ need registry name ]] with "OAuth Extensions Error Registry". [wmills] OK * In section 4.2. Failed Exchange, the "status" value of "401" is not in the OAuth Extensions Error Registry; "invalid_request" seems appropriate here instead. * In section 4.3. SMTP Example of a Failed Negotiation, the (encoded) server response uses a "status" value of "401", which is not in the OAuth Extensions Error Registry; "invalid_token" seems appropriate here instead. [wmills] Will fix the 2 above (as opposed to OK which indicates I already did the edit) * In section 5. Security Considerations, he phrase "This document specifies three SASL mechanisms should be "This document specifies two SASL mechanisms". [wmills] OK * In Appendix A. Acknowledgements, "area directors" should be "area director". [wmills] OK - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. _______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten
- [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Matt Miller (mamille2)
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Ryan Troll
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Ryan Troll
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-s… Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Peck, Michael A
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Simon Josefsson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Zheng, Kai
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Tom Yu
- Re: [kitten] WGLC on draft-ietf-krb-wg-cammac-08 Zheng, Kai
- [kitten] WGLC on draft-ietf-kitten-sasl-oauth-15 Shawn M Emery
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth… Bill Mills