Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21

Bill Mills <> Tue, 28 April 2015 15:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 882E41A87A8 for <>; Tue, 28 Apr 2015 08:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.291
X-Spam-Status: No, score=0.291 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, J_CHICKENPOX_32=0.6, J_CHICKENPOX_72=0.6, J_CHICKENPOX_82=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FEOVIAWZ4GMs for <>; Tue, 28 Apr 2015 08:48:47 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67E1B1A8792 for <>; Tue, 28 Apr 2015 08:48:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1430236126; bh=sLkDW8dAfdmx+9fRPWOLo5OIKCm4G63ZtHBEOA6UM6I=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=ERpLEbCw/cdwsWF3qyTsPCvmUmpEhtdXmdC5wT7hDHjH7hFjewHr78zv2yfADboRLA6C2cZsRGoXWZ3Xcqo+9g4Bxsvi8HddgbHlvUlMRUe+0E5JgN1ThoEUq23Z+iz+9HASJ489xqlT0gsMtnMXI+BCT0Y3zsZAtNkJUWSr4TkpS+GX8JLOt+6/rLM0hj4hFslX9mzbEiRsPdn8Q/mMUI9G1M/LTe56qurEWRsVz9pwXdcBxkbABi0A8yV0n8o1SiBEvMPlPn6176KmroS4Hrbk0jTYdl2IVfcLtJ/EpI9/1jjcUrYYB57T+0nDhKlTi6m39Ewl7QPzyVxnXkF4Fw==
Received: from [] by with NNFMP; 28 Apr 2015 15:48:46 -0000
Received: from [] by with NNFMP; 28 Apr 2015 15:48:46 -0000
Received: from [] by with NNFMP; 28 Apr 2015 15:48:46 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: yk41OLIVM1nxgZ7GZuoWphQMdh7zcQVos6rYIAqH9U5XP0weLtdmyZYQtCCovAv cwnlZu_lp_fl9I1oQH7A0VHn_PWCqWxHIfMWBxyw6P5GATbh3xYjchLzp0LOZOVXKDrFymszk0Gj KBHG0qce1hQVADO1ygbpS0LA5MrS8cmiGfyHWYu7_Z1JpnVhDMA8MkqbY_fw2YewqIyWkF5EylD7 pYTxVTTrJ0nXt.2vr5heYQOgViTCgFMkyxkkurMRZz.jHw5BsHkh.1AmlZhNEc9z3vYX8Szvp9T6 IXKzMpsd3KqrQXFjLEdkvx1lPEhhEQRH9UF.zV6gxSXK9Yl5xxqM800msGAgMLRKSva1D1gorQfV fYHtmkfNdHR6l2.aY73MMLJVWBtfBV6Y8G.omjiWaPIjTmF8AZH0CQZIZi3jPrvnww4rOsO.cZSa o9lliL0NmM1rtZXb9bp3_CH_LHBUiz9KH6vzc_pxzcrptg577FNsqRsiICjSaLT_mNxESFe1F95L xzI5RDFVbUNEu8taj77LxgwLIaNT1ajSbeB79OpXZSSge
Received: by; Tue, 28 Apr 2015 15:48:46 +0000
Date: Tue, 28 Apr 2015 15:48:45 +0000 (UTC)
From: Bill Mills <>
To: Stephen Farrell <>, Benjamin Kaduk <kaduk@MIT.EDU>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_7347806_1631543971.1430236125336"
Archived-At: <>
Cc: "" <>
Subject: Re: [kitten] AD review of draft-ietf-kitten-sasl-oauth-21
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Apr 2015 15:48:50 -0000

-22 up on Github with the noted changes from below.

On Tuesday, April 28, 2015 7:48 AM, Stephen Farrell <> wrote:
>Hi Ben, Bill,>>(Sorry for the slow response, got distracted yesterday;-)>>On 27/04/15 23:23, Benjamin Kaduk wrote:>> On Sat, 25 Apr 2015, Stephen Farrell wrote:>> >>>>>> I'm sorry but we seem to be talking past one another for both>>> issues. Let me try another tack but it may also help if someone>>> else chimes in.>> >> [puts on shepherd hat]>> Sorry for the long silence; I was sick last week and didn't get much>> of anything done.>> >> Question (1) is about the host and port kvpairs of the initial client>> response; Stephen claims that any server software using this SASL>> mechanism will know what hostname and port the client is trying to access.>> It seems like this is in fact true, >>Right. And that means we're duplicating that information. And such>duplication, when the value are not the same, is a time-honoured way>of getting around authorization systems that forget that there are>two copies and who only check one. If you want to keep the duplication>then I think you have to note that.
Again I disagree, this is *exactly* the same problem the HTTP host headersolves.  IMAP does not have anything that conveys hostname.  Port number might be known but hostname is not guaranteed. Added "The server SHOULD validate that the host and port values match the expected values for the service." to the end of the paragraph discussing signature base strings where host and port are defined in 3.
>>> but Bill says there is no API for a>> SASL mechanism implementation to query this from up the stack (and would>> require patching the core SASL implementation, not just a mechanism>> implementation).  The natural question to ask, then, is if other SASL>> mechanisms are verifying a client-supplied hostname, and if so, how.  In>> Kerberos the desired service principal name includes a hostname, and can>> be determined by examining the sname field of the presented Ticket.  In>> practice, kerberized application servers are generally configured to>> either use one specific service principal name, or any for which keys can>> be found [optionally, of the given service type].  >>That could be a valid choice, but ought be clear to whoever>is issuing the tickets, (or tokens here) right?
No.  The example is Google's OAuth implementation that uses the same tokenfor both SMTP and IMAP.  Same ticket, different hostnames. 
>>> So, the hostname used>> by the client can be determined just from the authentication blob, without>> a need to consult the SASL stack.  If other mechanisms are similar to>> kerberos, than I guess it makes sense to explicitly include the target>> hostname in the initial client response, as is currently done.  This seems>> to be the only relevant part of the discussion; I don't think that OAuth>> tokens valid for multiple servers are particularly interesting for>> answering this question.>> >> Additionally, the SASL application server certainly knows what port it is>> receiving traffic on.  But, as Bill notes, if there is a load-balancer or>> TLS terminator in between, the port the server is listening on can differ>> from the port that the client sent to.  My understanding is that it is not>> terribly common for authentication/authorization schemes to be>> port-restricted, so it is plausible that the SASL mechanisms currently in>> use in such scenarios do not use a port number and thus can succeed>> unchanged, whereas OAuth 1.0a does bind to the port number and needs an>> explicit hint.>> >> In both cases (hostname and port), my tentative conclusion is that no>> change to the draft is needed.>>If keeping it, I think you need the warning about duplication. I'm>guessing that that warning won't ever be in other RFCs, as>applications presumably don't need to say which SASL mechanisms are>allowed.>>(I wonder if this is just one example of where the first sentence>of 3.2 doesn't have sufficient detail?)>>> >> >> Question (2) relates to the use of TLS.  This document is in a somewhat>> awkward position of specifying both a specific (pair of) mechanisms and a>> (hopefully) general framework for converting HTTP OAuth mechanisms into>> SASL mechanisms.  For all currently specified OAuth (2.0) mechanisms, TLS>> is required to protect the bearer token, but we hope that future OAuth>> mechanisms can be specified which do not use bearer tokens and thus have a>> weaker dependency on TLS.  In particular, we hope that such future OAuth>> HTTP mechanisms can be converted to SASL mechanisms using the framework>> specified in this document.>> >> So, while TLS MUST be used for the concrete mechanisms this document>> specifies [1], there is not a very strong case to say that TLS MUST be>> used for all mechanisms compliant to this framework.  This framework for>> SASL mechanisms does not provide any security layer for data security, so>> if confidentiality of data is required, TLS ought to be used.  But I'm not>> sure that's even a SHOULD, let alone a MUST.>> >> I concede Stephen's point that section 3 should say *something* about TLS,>> and propose moving (or copying?) text from the security considerations>> relating to the two specific mechanisms (MUST for OAUTHBEARER; RECOMMENDED>> for OAUTH10A), along with some text giving guidance for future mechanisms>> using this framework.  It's not clear to me that sections 4 and 5 are>> internally inconsistent, though -- unless the difference between "TLS MUST>> be used" and "TLS must be provided" is the concern?>> >> To suggest some concrete text, insert into section 3, after the paragraph>> "New extensions may be defined [...] citing this specification for the>> further definition.":>> >> %%%%%%%%%%%%%%%%%%%%%%%%>> >> SASL mechanisms using this document as their definition do not provide>> a data security layer; that is, they cannot provide integrity or>> confidentiality protection for application messages after the initial>> authentication.  If such protection is needed, TLS or some similar>> solution should be used.  Additionally, for the two mechanisms specified>> in this document, TLS MUST be used for OAUTHBEARER to protect the bearer>> token; for OAUTH10A the use of TLS is RECOMMENDED.>>I'd be fine with that change.>
This duplicates text from the definition of OAUTHBEARER above, but if it makes you happy it's in.
>S.>>> >> %%%%%%%%%%%%%%%%%%%%%%%%>> >> The start of the next paragraph could probably also benefit from new>> transition text, such as "Mechanisms using this document as a definition>> are client initiated [...]".>> >> >> >> With respect to the nits:>> >> I only see one valid entry in the idnits output about the references;>> draft-ietf-oauth-dyn-reg has had a new version come out in the interim.>> It also claims that RFC 5849 (OAuth 1) is obsolete, but we do need to>> reference it for the OAUTH10A mechanism.  (I thought I said that in the>> shepherd report....)>> >> Alexey looked at an old version of the ABNF and we had to make a couple>> tweaks, but I think it's okay, now.>> >> Bill talked about the kvsep of 0x01, so I will say no more.>> >> I think Bill also covered the privacy aspects of (not) including the>> authzid as well.>> >> I did some checking of the examples, but they should ideally be checked>> again at some point.  (I will probably do it during IETF last call.)>> There were several points in time where the examples were internally>> inconsistent, so it would be good to make sure that we've stamped those>> out.>> >> -Ben>> >> [1] I'm ignoring OAuth 1.0a for this point.>> >>