IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-01.txt

William Mills <wmills@yahoo-inc.com> Thu, 31 May 2012 14:56 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B17021F86D6 for <kitten@ietfa.amsl.com>; Thu, 31 May 2012 07:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gB2+B2iq2x4U for <kitten@ietfa.amsl.com>; Thu, 31 May 2012 07:56:48 -0700 (PDT)
Received: from nm4.bullet.mail.sp2.yahoo.com (nm4.bullet.mail.sp2.yahoo.com [98.139.91.74]) by ietfa.amsl.com (Postfix) with SMTP id 9D33C21F86BD for <kitten@ietf.org>; Thu, 31 May 2012 07:56:48 -0700 (PDT)
Received: from [72.30.22.92] by nm4.bullet.mail.sp2.yahoo.com with NNFMP; 31 May 2012 14:56:46 -0000
Received: from [98.139.91.33] by tm14.bullet.mail.sp2.yahoo.com with NNFMP; 31 May 2012 14:56:46 -0000
Received: from [127.0.0.1] by omp1033.mail.sp2.yahoo.com with NNFMP; 31 May 2012 14:56:45 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 987211.23264.bm@omp1033.mail.sp2.yahoo.com
Received: (qmail 43994 invoked by uid 60001); 31 May 2012 14:56:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1338476205; bh=jW63xohsFeSQt3mcFAaYWKrTjN1f+vhERSxCcMU3GMg=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=QRCSFT5ZWiKJQcGRg0ce1mlcTse/8TfZDCLQR+zhi3ymOayTzu2GQgi3xqCqhb7jNM9BAbBNwou82oGZSfvfaIXDTjyBs5iW54GoxMqZrZLENxvlEWUhNtxrbGcbdUR8badpLASNoE5SSqRcMuGbJlrFsGNJMQMkMX8X9kvHXcY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=LdVW2mz49zl8peQE13tSixWHrDLHpasgKAUS4ij1Fz/mnQYrptVWGxB5VQN/AGqghyXo0hv3e7aPkn1zESeunD6VLPEeXY4ghktoKnQOqmcTz19DCq0euKZvPrnJ9h7GfYw4kyNl2SZWYBfUKRLu/MOAD1NtPN7iC5ewnGmZpIs=;
X-YMail-OSG: 5Q3ycAsVM1n3d7Y2_rQA_P2D__LX5.9KKjBwR5kTM4RvbjL s5N6dc7YPQwIKiiZBRE0vS0rphtrkDz1k5od38dA3HbjTOV2IItroREBauQM GUFxQLjrCJv_OG1WUOO5fx7afSzR2NIWCSgUM8R0UBgeu5QtV6jTJFnV8aRH QHC7rg6NHxJRLPJetBNAp_CG11w0Bn1bEDDFOsDSfPQz7DQLdmOGAvHTKdIg rBLuaQI7hfitFjaMkUl6GG93xSbCWutbf3tU0T114LFAv3XTX_ZjyfTPChj8 DGr8LlQqURVsX7YJ8fAZ8uaZtJtQGdOsS49_RfPKplx_onSdeKBM4rjmT2lP t1JO_PiNOiU3cOwLKX1W2Fc59P3dt7d.x79smAl3POYOsI4r1MG9kj6j5p0Y CswPBMvLmLpSNgLyDRbngXh9dIyM-
Received: from [99.31.212.42] by web31807.mail.mud.yahoo.com via HTTP; Thu, 31 May 2012 07:56:45 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.118.349524
References: <20120530190226.12880.56537.idtracker@ietfa.amsl.com> <1338415028.63249.YahooMailNeo__38044.4741262638$1338415043$gmane$org@web31802.mail.mud.yahoo.com> <87zk8orfpa.fsf@latte.josefsson.org>
Message-ID: <1338476205.39484.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Thu, 31 May 2012 07:56:45 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Simon Josefsson <simon@josefsson.org>
In-Reply-To: <87zk8orfpa.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 14:56:49 -0000





>________________________________
> From: Simon Josefsson <simon@josefsson.org>
>To: William Mills <wmills@yahoo-inc.com> 
>Cc: "kitten@ietf.org" <kitten@ietf.org> 
>Sent: Thursday, May 31, 2012 12:07 AM
>Subject: Re: I-D Action: draft-ietf-kitten-sasl-oauth-01.txt
> 
>This version looks much better to me -- thanks!
>
>As we discovered for RFC 6595, you may want to expand the TLS
>certificate verification text with some RFC 6125 wording.  See fifth
>paragraph of section 4 of RFC 6595.  It should also explain which
>identity string is compared to what's in the certificate.

I'll take a look, thanks.

>
>Also, it seems this variant supports the PLUS channel-binding enabled
>variant (I have not read the draft in detail there, but it is
>mentioned), so shouldn't it then also be able to support per-message
>tokens and GSS_Pseudo_random?  This could be done similar to SAML20EC
>(which is work in progress, but the mechanism it eventually uses could
>be the same).


Yes, it's -PLUS instead of doing CB in a single profile.  In the draft it
discusses the fact that some auth profiles have secrets that can be used
for per message signing, so I think it COULD support per message tokens. If
there is no shared secret to use I don't think there's a way to bootstrap 

this in channel that increases the security properties.


>
>/Simon
>
>
>

v2.23.0 | Report a Bug | By Email