Re: [kitten] Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)

Bill Mills <wimills@microsoft.com> Mon, 25 May 2015 16:41 UTC

Return-Path: <wimills@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120CE1AC431; Mon, 25 May 2015 09:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiWJTk_zef3x; Mon, 25 May 2015 09:41:03 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0769.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::769]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1753B1AC42F; Mon, 25 May 2015 09:40:46 -0700 (PDT)
Received: from BLUPR03MB408.namprd03.prod.outlook.com (10.141.78.25) by BLUPR03MB036.namprd03.prod.outlook.com (10.255.209.148) with Microsoft SMTP Server (TLS) id 15.1.166.22; Mon, 25 May 2015 16:40:27 +0000
Received: from BLUPR03MB407.namprd03.prod.outlook.com (10.141.78.24) by BLUPR03MB408.namprd03.prod.outlook.com (10.141.78.25) with Microsoft SMTP Server (TLS) id 15.1.172.17; Mon, 25 May 2015 16:40:26 +0000
Received: from BLUPR03MB407.namprd03.prod.outlook.com ([10.141.78.24]) by BLUPR03MB407.namprd03.prod.outlook.com ([10.141.78.24]) with mapi id 15.01.0172.012; Mon, 25 May 2015 16:40:26 +0000
From: Bill Mills <wimills@microsoft.com>
To: Joel Jaeggli <joelja@bogus.com>, The IESG <iesg@ietf.org>
Thread-Topic: Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)
Thread-Index: AQHQlwOSZ64UBZNW6UOweaiSYShQX52M30qg
Date: Mon, 25 May 2015 16:40:25 +0000
Message-ID: <BLUPR03MB407FA6C43486826DE64F39FA8CD0@BLUPR03MB407.namprd03.prod.outlook.com>
References: <20150525155753.4748.29014.idtracker@ietfa.amsl.com>
In-Reply-To: <20150525155753.4748.29014.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=wimills@microsoft.com;
x-originating-ip: [99.31.212.42]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB408; 3:UGbLDcYt5XdG9jTd2LajQQJZJReFP6QS5KPcjrwxzFyA6i99BOxXGbMRaKxp9v834AwN3b1MvyVlbmAZ1JgWSS37oVQwGTU4Anc2mJ9HMBzBFc4W/U5vmXSSAKmlh7nA1cqozxH8iDxe7oaqw9ZUhA==; 10:FZehpnHKUZegVECCeYym5byGsyyp7oBWIUb3YwfftHIzSbZ0j5loBEc7eEd9+h3KFwKqxMwRMbEBHU0glO/3PHC37CyhYvBnLPOc003DTMU=; 6:vmQ4Q50s0Wt44VNEWvZk/hd5G1Yo7IYB9ZSWxcz/8HHIy6hzRdLkRMofzAWVxLxj
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB408; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB036;
x-microsoft-antispam-prvs: <BLUPR03MB408447E6197C43856436456A8CD0@BLUPR03MB408.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(520002)(5005006)(3002001); SRVR:BLUPR03MB408; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB408;
x-forefront-prvs: 058707456E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(199003)(189002)(52044002)(377454003)(68736005)(77096005)(230783001)(76176999)(50986999)(2950100001)(2900100001)(15975445007)(102836002)(54356999)(86362001)(92566002)(101416001)(33656002)(62966003)(77156002)(86612001)(106356001)(106116001)(66066001)(189998001)(64706001)(40100003)(46102003)(122556002)(5001960100002)(5001830100001)(87936001)(76576001)(5001860100001)(81156007)(99286002)(97736004)(5001770100001)(19580405001)(4001540100001)(19580395003)(2656002)(74316001)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB408; H:BLUPR03MB407.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2015 16:40:25.4728 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB408
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB036; 2:B9dS4btqm+WiWzV5SH6UqeUqHMYLthm9IlHub2cPMYTWrhH4fhnSsnQiJP/nGnV1; 2:4Lw17preiCxui12ZfR5MhjifCnXnSbUHcGKX4lWgF0LGK+h/lTeukqqukCLBAcNoM981G2uEVXCBNJBIxupQfkQU3jcPn33lAA0QOfBfY5p4hTpn8TZVYmhO6NR8cx9PO//qWE+8iodaSam5qNoCWg==; 9:HRMg07ZJPG/z43UOWkr9PGGB4iP236xYK3Qr0QkHsI2odsPyVfENz8GCCIB5fldB1fhPnULRrSkD4TMxc11r+R+lwLcuGZ9v63nQTZwT51IRnxJeRSkfjz6/2tzVeqSYOU4P+ybIGdps0eMOKuguWw==
X-OriginatorOrg: microsoft.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/XxnQPZOMIUMSC5JYF3MllwI4fzw>
X-Mailman-Approved-At: Mon, 25 May 2015 14:50:45 -0700
Cc: "kitten-chairs@ietf.org" <kitten-chairs@ietf.org>, "draft-ietf-kitten-sasl-oauth.shepherd@ietf.org" <draft-ietf-kitten-sasl-oauth.shepherd@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-sasl-oauth@ietf.org" <draft-ietf-kitten-sasl-oauth@ietf.org>, "draft-ietf-kitten-sasl-oauth.ad@ietf.org" <draft-ietf-kitten-sasl-oauth.ad@ietf.org>
Subject: Re: [kitten] Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 16:41:05 -0000

" Can someone explain to me situation were intergrity protection is not desirable (possibly rhetorical). it seems like it might be better to clarify what the exception is and use a blanket must for everything else."

In OAuth there's no guarantee of a shared context that has a secret that can be used to provide integrity protection.  Some OAuth mechanisms like the "holder of key/proof of possession" tokens do have one but not all. 

Regards,

-bill

-----Original Message-----
From: Joel Jaeggli [mailto:joelja@bogus.com] 
Sent: Monday, May 25, 2015 8:58 AM
To: The IESG
Cc: kaduk@mit.edu; kitten-chairs@ietf.org; draft-ietf-kitten-sasl-oauth.shepherd@ietf.org; draft-ietf-kitten-sasl-oauth@ietf.org; draft-ietf-kitten-sasl-oauth.ad@ietf.org; kitten@ietf.org
Subject: Joel Jaeggli's No Objection on draft-ietf-kitten-sasl-oauth-22: (with COMMENT)

Joel Jaeggli has entered the following ballot position for
draft-ietf-kitten-sasl-oauth-22: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

SASL mechanisms using this document as their definition do not
   provide a data security layer; that is, they cannot provide integrity
   or confidentiality protection for application messages after the
   initial authentication.  If such protection is needed, TLS or some
   similar solution should be used.  Additionally, for the two
   mechanisms specified in this document, TLS MUST be used for
   OAUTHBEARER to protect the bearer token; for OAUTH10A the use of TLS
   is RECOMMENDED.

Can someone explain to me situation were intergrity protection is not desirable (possibly rhetorical). it seems like it might be better to clarify what the exception is and use a blanket must for everything else.