IETF Logo Mail Archive

Re: [kitten] Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02

Nico Williams <nico@cryptonector.com> Fri, 08 April 2011 19:26 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27CD23A69EF for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 12:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.943
X-Spam-Level:
X-Spam-Status: No, score=-1.943 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5-a+8bVvDUl for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 12:26:57 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by core3.amsl.com (Postfix) with ESMTP id 6DE1B3A6975 for <kitten@ietf.org>; Fri, 8 Apr 2011 12:26:57 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id E388A584064 for <kitten@ietf.org>; Fri, 8 Apr 2011 12:28:42 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=Tn864hcZtkexF4zfEh4fPPfyWBj2dLIE/vE6BGHB+Hnd JlrT4iS8F6/HpP2oc0nq54wTaPQ/LSNQcf7hycqKQCZUmYyvd1MBqQdX1Nt0bnKL MI9ZGTZm5ejD6WKUsr1vaR7dUAL52f85TbXKo9tubyNtiZwGtLF4279wzLxbBKA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=0BgvYCojliBRVmhxZHSo2rem1NY=; b=rUo50hlvHYt LhBauJ0snL0SFyBtuz8K6Me5qDerJCeRt6JiGOaPLjeL154WwYUtCwLu31MwVpT2 wK6EN7KOQ8lMFwK5yjddH7RVwrd0RJjX+3dzub90Np9PuWq+BAOb7rs2HPqlKP/e CqF1p9LiejZ9Awmeee1sGFZ61e0ftWvk=
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id B2D2C584058 for <kitten@ietf.org>; Fri, 8 Apr 2011 12:28:42 -0700 (PDT)
Received: by vxg33 with SMTP id 33so3589983vxg.31 for <kitten@ietf.org>; Fri, 08 Apr 2011 12:28:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.92.38 with SMTP id cj6mr3668591vdb.254.1302290922065; Fri, 08 Apr 2011 12:28:42 -0700 (PDT)
Received: by 10.52.166.42 with HTTP; Fri, 8 Apr 2011 12:28:41 -0700 (PDT)
In-Reply-To: <7EE86E89365CA94F8E7B8251F926071007AC12BC@CIO-KRC-D1MBX01.osuad.osu.edu>
References: <20110408070506.12ECB3A6A4C@core3.amsl.com> <416848.75882.qm__16525.0710481361$1302247955$gmane$org@web32314.mail.mud.yahoo.com> <87hba9b13i.fsf@latte.josefsson.org> <tsl4o684s5q.fsf@mit.edu> <754979.46407.qm@web32303.mail.mud.yahoo.com> <tslr59c3asv.fsf@mit.edu> <7EE86E89365CA94F8E7B8251F926071007AC12BC@CIO-KRC-D1MBX01.osuad.osu.edu>
Date: Fri, 08 Apr 2011 14:28:41 -0500
Message-ID: <BANLkTinWhVk1sbvFaakZ=xsCD2soeF3TDg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Cantor, Scott E." <cantor.2@osu.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "kitten@ietf.org" <kitten@ietf.org>, Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, Tim Showalter <timshow@yahoo-inc.com>
Subject: Re: [kitten] Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 19:26:58 -0000

On Fri, Apr 8, 2011 at 12:44 PM, Cantor, Scott E. <cantor.2@osu.edu> wrote:
>> I think all you have to do is communicate  the channel binding type you
>> support.
>
> I think you mean "the type you used", at least based on  my reading of GS2.
>
> On the general subject of tls-unique vs. endpoint, I had a brief conversation with Simon about it, and I think some clarification on how server applications would be expected to use tls-endpoint would be useful.

Regardless of the CB type, the application asks the channel for the CB
data of the selected CB type.

Since we lack a CB type negotiation facility, the CB type needs to be
selected a priori.  For various reasons tls-server-end-point is the
most practical CB type for HTTP and various other applications.

The reason tls-server-end-point is more practical than tls-unique in
some cases has to do with TLS concentrators: try and extract
tls-unique CB data from them :(  But the TLS server certificate is
easily enough copied around, configured wherever tls-server-end-point
CB data might be needed.

> How is it expected that servers would distinguish clients at the app layer when non-unique CB is used?

Servers have never distinguished clients by CB data before, so this
question answers itself: "the same way they always have" :)

In the case of HTTPS the answer is, whether you like it or not, "cookies".

Nico
--

v2.23.0 | Report a Bug | By Email