Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...
William Mills <wmills@yahoo-inc.com> Wed, 04 April 2012 14:44 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9287721F87CD for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:44:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.998
X-Spam-Level:
X-Spam-Status: No, score=-16.998 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_44=0.6, J_CHICKENPOX_45=0.6, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Lz2Bfs42zgy for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:44:36 -0700 (PDT)
Received: from nm4.bullet.mail.bf1.yahoo.com (nm4.bullet.mail.bf1.yahoo.com [98.139.212.163]) by ietfa.amsl.com (Postfix) with SMTP id 6F7F721F8659 for <kitten@ietf.org>; Wed, 4 Apr 2012 07:44:36 -0700 (PDT)
Received: from [98.139.215.140] by nm4.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 14:44:36 -0000
Received: from [98.139.212.209] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 14:44:35 -0000
Received: from [127.0.0.1] by omp1018.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 14:44:35 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 975703.71792.bm@omp1018.mail.bf1.yahoo.com
Received: (qmail 70044 invoked by uid 60001); 4 Apr 2012 14:44:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1333550675; bh=CjCJ+lPew1GPgxwZtq8WioxhKiWb0VFXIQ0bZ75kgpU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=YzXatyCxICHnp2gq72h37EwqruqyId3H4w+5jfoE+NY15BDoNNCHvUMxXGg6iNJd3otmoc25nmp7YJXoLRMyeYujysss8sKQ9bu84yjprEFQ+4PjQOkVFGqrvbvQMNkBA1+25A7nm28lpjv21yMcQtsvwctRaYJ7xtTHDAXciiU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=jAht3yXYXWUDrf8xALOvdRsXvOak/b0dS8X5+FRNn2pM+hl4cvSCSMSSLKJVu1wme5nzA4sWpPZibPrvoyGTd0/S7mNuwuJaJ0OYFxJNQgmynhKwZVO/gt2CNcvpqnTePvQmkKa1k4Q5aYj8gVmZVvF3+ZvMgW3bjcz81qRdQS8=;
X-YMail-OSG: tMnFt1UVM1muHWUYbJhwjFzzkSmkzzox3kbTwTHl7D_R_y2 YTnpo1_TvE0IZyrbpY4fvDEuw.quDH33G9dDxGVh9JLRhIMLgkLYXcLngQNW 2gVXcUq19nN__Bd64z4JKMLHIpxU9_phF1GrZcTUWu.E.32HVYrGSSonIP30 LOrnHDQMu1n_dv0W2T24SBcFjoKY.F5zgFm39vNYA2igKJpmfwMIxBbWx22d 7KxWNypxh5qb8J3ZcL9RVOrrK42vhmvePrqMebzwNMSjZZDQuIITOzTAn2cB 51LSs7nWx_I1Dw4Ykvgh94m1ipBYcFv0ZtCg2i2W8vrQzooDpuvpIyAmGUn5 ZC6ZGRGJcDJZokTdRMOBtTXNGshGbnIDdGmzLH79Wc_C07btlspB0YhjBJ2f Z.jI1_gJiLVewM2Fa1WJDzt8clyo-
Received: from [99.31.212.42] by web31811.mail.mud.yahoo.com via HTTP; Wed, 04 Apr 2012 07:44:35 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340979
References: <1333498239.81695.YahooMailNeo@web31804.mail.mud.yahoo.com> <1333501139.69852.YahooMailNeo__42841.0879838795$1333501152$gmane$org@web31807.mail.mud.yahoo.com> <87wr5wq6p1.fsf@latte.josefsson.org>
Message-ID: <1333550675.70008.YahooMailNeo@web31811.mail.mud.yahoo.com>
Date: Wed, 04 Apr 2012 07:44:35 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Simon Josefsson <simon@josefsson.org>
In-Reply-To: <87wr5wq6p1.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="764183289-1723244725-1333550675=:70008"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP, that is the question...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 14:44:37 -0000
One of the real takeaways for me from the IETF is that parsing HTTP is deep deep water with sharks in it. Of the things we have to parse right now the hairiest would be the authorization header because it may have multiple authorization elements. Everything else is comparatively simple. The data elements we need are: - Host - port - Authorization header payload for the oauth profile - username -- used for auth(zn) endpoint discovery only - path+query string -- currently a stub of extensibility - HTTP body-- currently a stub of extensibility The auth header payload is still going to have to be parsed by the server as is I think. It's too complex to try to provide an arbitrary structured mapping for all cases and it's just an opportunity for error. Extensibility can be done with an IANA registry of n/v fields for the purpose. After that I'd probably choose a format like'Name ":" value CRLF' over JSON. >________________________________ > From: Simon Josefsson <simon@josefsson.org> >To: William Mills <wmills@yahoo-inc.com> >Cc: "kitten@ietf.org" <kitten@ietf.org> >Sent: Wednesday, April 4, 2012 12:47 AM >Subject: Re: OAUTH/SASL... to HTTP or not to HTTP, that is the question... > >William Mills <wmills@yahoo-inc.com> writes: > >> The major question remaining for my draft is HTTP(like) or not for the >> SASL message format? Please select one of the following: >> >> >> A) The current message format is fine. >> B) HTTP-like is OK as long as we limit the insanity. >> C) HTTP in any form is a deal breaker for me. Give me something simple. >> D) None of the above, and I have a possible solution of my own to propose. >> >> For B above it's likely that we'd say something like "The server MUST >> parse the Host, User, and Authorization headers and the server MAY >> discard anything else. The client MUST NOT use any HTTP extensions >> such as compression and pipelining, and SHOULD NOT use line >> continuations." >> >> Thanks in advance for the input, > >To get informed answers, I think we need to understand the implications >of each answer. Let's say we invent a new format for SASL OAUTH. How >much of a problem would that really be? Where would the complexity >related to HTTP have to be implemented? Is it the server that would >need to parse HTTP and transform it to something simpler? Is the client >completely shielded? > >Looking at history, I believe one of the main reasons DIGEST-MD5 didn't >quickly replace CRAM-MD5 was that DIGEST-MD5 was so complicated to >implement interoperable, and that was primarily because it re-used HTTP >syntax. So I don't think this is just a pet issue, it seems that if >SASL wire syntax is too complicated, things won't get implemented. > >If I were to express a preference now I would lean towards B). However, >if the implications of C) are not severe, I think it would make sense to >use a simpler format. Then it becomes much easier to implement and >analyse what goes on over the SASL wire. Without a good rationale, I >would be strongly opposed to free-form HTTP as the SASL syntax. > >/Simon > > >
- [kitten] Feedback from IETF #83 on the OAUTH/SASL… William Mills
- [kitten] OAUTH/SASL... to HTTP or not to HTTP, th… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Nico Williams
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Matt Peterson