Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12

Bill Mills <wmills@yahoo-inc.com> Wed, 18 December 2013 01:25 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1881ADF80 for <kitten@ietfa.amsl.com>; Tue, 17 Dec 2013 17:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.92
X-Spam-Level:
X-Spam-Status: No, score=-16.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-9oB4q56OU3 for <kitten@ietfa.amsl.com>; Tue, 17 Dec 2013 17:25:06 -0800 (PST)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by ietfa.amsl.com (Postfix) with ESMTP id E466B1ADFA4 for <kitten@ietf.org>; Tue, 17 Dec 2013 17:25:06 -0800 (PST)
Received: from BF1-EX10-CAHT05.y.corp.yahoo.com (bf1-ex10-caht05.corp.bf1.yahoo.com [10.74.209.60]) by mrout3.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id rBI1OYSf010868 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <kitten@ietf.org>; Tue, 17 Dec 2013 17:24:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1387329876; bh=05EsTYBPHRANhC2iFhH6XPepqhHhE3Q9m2xS3DaiD4w=; h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To: MIME-Version:Content-Type; b=xWitPYX3y0lbTaKR+sOGtTJch2fmi8yigKhdZ7cRCSshi3CI+mKQjhBYFEQvJVGzx bV8o5MWpTHeHtP8OKs02a+6NLbr8+jVbNesPAmYzihQC05VnOQce6Trp8yUgFQmurf JOT0ZDnGiqERanPXdqBBlzQzcHWpUoM19d+3Vk/g=
Received: from omp1050.mail.ne1.yahoo.com (98.138.89.192) by BF1-EX10-CAHT05.y.corp.yahoo.com (10.74.209.170) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 17 Dec 2013 17:25:12 -0800
Received: (qmail 22218 invoked by uid 1000); 18 Dec 2013 01:24:33 -0000
Received: (qmail 51764 invoked by uid 60001); 18 Dec 2013 01:24:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1387329873; bh=Z8k1RhZ3gARB6/z+FbqzEOEvr75FWoTnTh+rYrVD/Is=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=EVsamA5FUbBvfJysBvXNqg+qmSKP0pP6ED1mp040v7eWBRjfoiaz/24UPEXFaoAZ7dVYaRjMzrzBXI+Icvtdu4mEeR8XO6NJD89JRangVMQvUwMN0ayCxEHDkZDjiT/AZazUM517f3chSJke2+wQ7WFkEZjwv/+0ONPB/XBI2/I=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=AZ722gzbiW4CXsFb2LdC1wCQUyB7paiIaeJrielKnLhG+5U+k8UiqDLWQ4paQ7MvYrD3zEG539r2KShzFSZ8wdO3m0kx3VdbphmB75S0hDmIaQlLfvvDVtb9uuBQyc7PsRdMP1BxE7jtjPlWD//CCOrSwDePKPxwmThDiHNk6x8=;
X-YMail-OSG: D4tHi4IVM1m6.pRCt3_0LwzdzkDkrna7J29UgYE_.YzDpp4 JVbZfjDL.jNVGMjPorynrDGONhBP_JL2a4qpw50qEvSGiIkx1_kWoSizKq_J 1KxwuepPXYNn06dLteJS8gYIeHyMxnnhXLF_rOruB0IxyHGf2YrsWJZp1Txt bLh_Zqx5EU8z_9lX98hnajc.prOKz43ajIeij.XZt9.CEAe1H5v4yl2pL_BZ 3R9zRSALnz8dqr6H2KlefKrHsrqeKt89vctyd6IzNC7h_Ic7E_BDS0BoCgJE GtNYM6izLxgTJbJBs5QNCx2US
Received: from [209.131.62.113] by web125604.mail.ne1.yahoo.com via HTTP; Tue, 17 Dec 2013 17:24:33 PST
X-Rocket-MIMEInfo: 002.001, SW5saW5lIGJlbG93LsKgIEkgbmVlZCB0byBmaXggdGhlIGV4YW1wbGVzIGFzIHlvdSBub3RlLgoKCsKgCi1iaWxsCgoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCldpbGxpYW0gSi4gTWlsbHMKIlBhcmFub2lkIiBZYWhvbyEKCgoKCgpPbiBUdWVzZGF5LCBEZWNlbWJlciAxNywgMjAxMyAyOjQ3IFBNLCBNYXR0IE1pbGxlciAobWFtaWxsZTIpIDxtYW1pbGxlMkBjaXNjby5jb20.IHdyb3RlOgogCk9uIERlYyAxNSwgMjAxMywgYXQgMTE6MTUgUE0sIFNoYXduIE0gRW1lcnkgPHNoYXduLmVtZXIBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.170.612
References: <52AE9A65.1010700@oracle.com> <C2752600-AC7C-4839-8BD0-3D850ECB19EB@cisco.com>
Message-ID: <1387329873.35383.YahooMailNeo@web125604.mail.ne1.yahoo.com>
Date: Tue, 17 Dec 2013 17:24:33 -0800
From: Bill Mills <wmills@yahoo-inc.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>, Shawn M Emery <shawn.emery@oracle.com>, "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <C2752600-AC7C-4839-8BD0-3D850ECB19EB@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-685807438-107077065-1387329873=:35383"
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 329875000
Subject: Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-12
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2013 01:25:09 -0000

Inline below.  I need to fix the examples as you note.


 
-bill



--------------------------------
William J. Mills
"Paranoid" Yahoo!





On Tuesday, December 17, 2013 2:47 PM, Matt Miller (mamille2) <mamille2@cisco.com> wrote:
 
On Dec 15, 2013, at 11:15 PM, Shawn M Emery <shawn.emery@oracle.com> wrote:

> 
> This message officially starts the 2nd kitten Working Group Last Call for the following document:
> 
> A set of SASL Mechanisms for OAuth
> http://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-12
> 
> The Working Group Last Call for this document starts today on Sunday, December 15th and will end on Tuesday, December 31st.
> 
> Please send any comments to the kitten mailing list or directly to the chairs.  Even if you reviewed this document and found no issues then please provide this feed-back.
> 

Here are my current comments on this draft (more might come later):

MAJOR:

* Removing the GS2-header (which was done in revision -11) also removed the ability for the client to specify an authorization identity.  If the lack of an authorization identity is acceptable (and I suspect it is not for some), then the document needs to state these mechanisms do not support authz-id.

[wmills] This is addressed in 3.2.1 of -12  authz-id is possible in some OAuth schemes.

* In section 3.2.2. Server Response to Failed Authentication, returning a space-separated list for the "scope" field is NOT RECOMMENDED, but also says the lack of a "scope" (value or field) implies the client SHOULD request tokens that are unscoped (empty list of scopes).  However, RFC 6749 § 3.3 does not permit unscoped tokens; the ABNF does not allow for "scope=" (i.e., the empty list), and the text regarding the lack of scope means the authorization server uses a default scope value (or fails authorization outright).  To me, this seems like a contradiction that would lead to interoperability problems.

[wmills] "scope" is an optional parameter, so if you want an empty value you don't send scope at all.

MINOR:

* In section 2. Terminology, it does not explicitly state that the reader ought to be familiar with terminology from RFC 4422.  This should be added.

[wmills] OK

* In section 3.2.2. Server Response to Failed Authentication, the last paragraph still discusses channel binding.  It should be removed.

[wmills] OK

* All of the examples include a gs2-header, but this was removed from the ABNF.  The examples need to be updated to remove the header.


* In section 8.1. Normative References, there is an entry for RFC 5056, but this reference is no longer used in the document.  It should be removed.

[wmills] OK

NITS:

* HTTP is mentioned but no citation or definition is included.
* XMPP is mentioned but no citation or definition is included.

[wmills] OK x2


* In section 1. Introduction, SMTP is mentioned with a citation but without a definition (unlike SASL and IMAP immediately preceding).

[wmills] I see "SMTP [RFC5321]" there

* In section 3. OAuth SASL Mechanism Specifications, the two lists describing success and failure flows are in fact ordered (numbered), but the document presents them as unordered (symbols).

[wmills] OK

* In section 3.2.2. Server Response to Failed Authentication, replace [[ need registry name ]] with "OAuth Extensions Error Registry".

[wmills] OK

* In section 4.2. Failed Exchange, the "status" value of "401" is not in the OAuth Extensions Error Registry; "invalid_request" seems appropriate here instead.

* In section 4.3. SMTP Example of a Failed Negotiation, the (encoded) server response uses a "status" value of "401", which is not in the OAuth Extensions Error Registry; "invalid_token" seems appropriate here instead.

[wmills] Will fix the 2 above (as opposed to OK which indicates I already did the edit)

* In section 5. Security Considerations, he phrase "This document specifies three SASL mechanisms should be "This document specifies two SASL mechanisms".

[wmills] OK

* In Appendix A. Acknowledgements, "area directors" should be "area director".

[wmills] OK


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.


_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten