Re: [kitten] Barry Leiba's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)

Benjamin Kaduk <kaduk@MIT.EDU> Tue, 26 May 2015 20:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A423D1B3154; Tue, 26 May 2015 13:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v2leOvfuyI5f; Tue, 26 May 2015 13:41:21 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C1B361B3159; Tue, 26 May 2015 13:41:20 -0700 (PDT)
X-AuditID: 12074424-f79f56d000000da5-5c-5564da6f754c
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 12.C6.03493.F6AD4655; Tue, 26 May 2015 16:41:19 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t4QKfIEf011604; Tue, 26 May 2015 16:41:18 -0400
Received: from ( []) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t4QKfFjx005902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 26 May 2015 16:41:17 -0400
Received: (from kaduk@localhost) by ( id t4QKfE3k020487; Tue, 26 May 2015 16:41:14 -0400 (EDT)
Date: Tue, 26 May 2015 16:41:14 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Barry Leiba <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IRYrdT0c2/lRJq8KJBxeLQ4kusFn+P/Ga2 eDjjIKPF9AdfmCxm/JnIbHFt935Wi6ObV7E4sHu0rOpl9liy5CdTAFMUl01Kak5mWWqRvl0C V8abVy/YCiYaVzw80sXcwHhEvYuRk0NCwETixZJ/7BC2mMSFe+vZQGwhgcVMEn93inQxcgHZ Gxklps1+xAzhHGKS2PZoHxOE08AocfnyFVaQFhYBbYn2/9+ZQWw2ARWJmW82go0SEdCUeP55 ClgDs8BDRqCxvWAJYYEYieXnvzKB2JwCjhIz334Bu4MXyL598wkLxB0OEpduHAKLiwroSKze P4UFokZQ4uRMiBpmAS2J5dO3sUxgFJyFJDULSWoBI9MqRtmU3Crd3MTMnOLUZN3i5MS8vNQi XXO93MwSvdSU0k2M4PB2UdnB2HxI6RCjAAejEg/vgwPJoUKsiWXFlbmHGCU5mJREeavOpIQK 8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuHtPw6U401JrKxKLcqHSUlzsCiJ8276wRciJJCeWJKa nZpakFoEk5Xh4FCS4PW6CdQoWJSanlqRlplTgpBm4uAEGc4DNDwLpIa3uCAxtzgzHSJ/ilFR SpzXAyQhAJLIKM2D64Wln1eM4kCvCPM2gVTxAFMXXPcroMFMQIPNjoINLklESEk1MIZZBZ0L OFO67tn+lScnNovfuNtsuWtnzbT/Yvl1UUtnvVl4OW2roY33lMaKKR3bdmxK4/eaXfb+XtjW x2vqJ6oFTZMqj801z4pe3f/j9pNUz/BjKt0TN1Q+Edbu5RYPFVu05PAD6b67O8I77+3nWP3r V8Sd7Dtdzw+dD5+atPGBZcy1u5s/yLMrsRRnJBpqMRcVJwIA22x6oxoDAAA=
Archived-At: <>
Cc:,,, The IESG <>,,
Subject: Re: [kitten] Barry Leiba's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 May 2015 20:41:23 -0000

Hi Barry,

On Tue, 26 May 2015, Barry Leiba wrote:

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Another excellent, informative shepherd writeup, which helped with my
> review of the document.  (And, I'll say, most of the really useful
> writeups, as this one, seem to use the "essay" format, rather than the
> Q&A format.)  Thanks, Ben, for the writeup.

You're welcome :)

> -- Section 1 --
>    way to use the Simple Authentication and Security Layer (SASL)
>    [RFC4422] to gain access to resources when using non-HTTP-based
>    protocols, such as the Internet Message Access Protocol (IMAP)
>    [RFC3501] and the Simple Mail Transfer Protocol (SMTP) [RFC5321],
>    which is what this memo uses in the examples.
> When I first read this, I thought the last phrase was bound to SMTP...
> but then I see that both IMAP and SMTP are used in the examples.  So, a
> small thing, but I'd end the sentence after the 5321 reference, and make
> the last phrase into another sentence, like, "This document gives
> examples of use in IMAP and SMTP."

"which is what this memo uses" is certainly wrong, since 'is' is singular
but should be plural to apply to both IMAP and SMTP.  But I think your
version is better, maybe with the addition of "both" before "IMAP and
SMTP" in the last sentence.

> -- Section 2 --
>    Note that the IMAP SASL specification requires base64 encoding, see
>    Section 4 of [RFC4648], not this memo.
> Nit: That seems kind of an odd way to put it, in addition to its having a
> comma splice.  Why not this?:
>    Note that the IMAP SASL specification requires base64 encoding, as
>    specified in Section 4 of [RFC4648].

I think I had noted the comma splice in a previous review but it slipped
through the cracks.  Your version looks fine.

> -- Section 3.2 --
> Nit: "vaialble" -> "available"


> -- Section 3.2.2 --
>       scope (OPTIONAL):  An OAuth scope which is valid to access the
>          service.  This may be omitted which implies that unscoped
>          tokens are required.  If a scope is specified then a single
>          scope is preferred, use of a space separated list of scopes is
> Why is it "NOT RECOMMENDED"?  What interoperability or security issue is
> in play here that makes this "SHOULD NOT"?

I am a little hazy on this, but I seem to recall that some deployed
software assumes that only a single scope will be used, so this is for
interoperability.  (Bill, please jump in if I'm confused.)

>          The server MAY return different URLs for users in
>          different domains and the client SHOULD NOT cache a single
>          returned value and assume it applies for all users/domains that
>          the server suports.  The returned discovery document SHOULD
>          have all data elements required by the OpenID Connect Discovery
>          specification populated.
> Similar questions for the SHOULD NOT and SHOULD here.  In this case, I
> don't understand why they aren't "MUST NOT" and "MUST": for the first, I
> don't understand how a client can interoperate with a server if it
> violates this, and for the second, if they data elements are "required",
> why isn't including them a "MUST"?

This section was one of the repeated areas of contention over the last
calls, so I am somewhat reluctant to bring it back to the WG for
discussion.  I think there would be somewhat more support for SHOULD NOT
--> MUST NOT; the SHOULD for discovery is, IIRC, something of a
compromise, since some parties did not want to bring in a hard dependency
on OpenID Connect's choices.  The only reason I can come up for the SHOULD
NOT, off the top of my head, is if some vendor distributed a mail client
that was only ever going to talk to that same vendor's server.

> (Nit: The "if available" at the end of the paragraph is unnecessary; if
> one is not available, it certainly can't be used.)

That's true, but I like the flow of the sentence with the extra
redundancy better than without it.

> -- Section 4.1 --
>    The
>    underlying TLS establishment is not shown but is required for using
>    Bearer Tokens per that specification.
>    S: * OK IMAP4rev1 Server Ready
>    S: t0 OK Completed
> The problem with this is that if the underlying TLS establishment is done
> through STARTTLS on port 143, that would come between the first line ("S:
> * OK IMAP4rev1 Server Ready") and the second.  And that makes the example
> a bit odd.  The easiest way out of that is simply to remove the first
> line.  Or, better, to replace the first line with something like
> "[Initial connection and TLS establishment...]".  (This applies to the
> subsequent sections as well.)

I would be fine with "[Initial connection and TLS establishment...]".

> I wonder why you don't wrap the decoded payload here the same way you do
> in Section 4.2 (or there the same as here).  I suggest that there'd be
> less room for any confusion if you did them all (4.3 also) the same way
> (I don't care which way you choose).

The examples were added at different times, so keeping them in sync has
been a bit tough.  Hopefully we can enlist the help of the RFC Editor in
ensuring consistency of formatting.

> In the SMTP part, you say this:
>    Note
>    that line breaks are inserted for readability, and that the SMTP
>    protocol terminates lines with CR and LF characters (ASCII values
>    0x0D and 0x0A), these are not displayed explicitly in the example.
> The same is true for the IMAP protocol and example, but you don't say
> this there.  Actually, I don't think you need to say it in either place,
> and suggest simply removing it here (and in Section 4.4).

Hmm, it is probably okay to not mention this, as you propose.  Anyone
implementing SMTP or IMAP will need to be conversant with the relevant

> -- Section 4.4 --
> In the SMTP protocol, you should have "[Negotiate TLS...]" before the
> SMTP AUTH command, as you do in Section 4.1.

The running text does have "TLS negotiation is not shown but as noted
above it is required for the use of Bearer Tokens", but I support making
the examples consistent (and explicit about the use of TLS).