IETF Logo Mail Archive

Re: [kitten] Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02

Sam Hartman <hartmans-ietf@mit.edu> Fri, 08 April 2011 18:51 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD1283A69CC for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 11:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.831
X-Spam-Level:
X-Spam-Status: No, score=-102.831 tagged_above=-999 required=5 tests=[AWL=-0.566, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1qwI-XrhhyD for <kitten@core3.amsl.com>; Fri, 8 Apr 2011 11:51:45 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id 05D533A69B4 for <kitten@ietf.org>; Fri, 8 Apr 2011 11:51:44 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 591A5201A2; Fri, 8 Apr 2011 14:50:12 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A8682446E; Fri, 8 Apr 2011 14:53:24 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Cantor, Scott E." <cantor.2@osu.edu>
References: <20110408070506.12ECB3A6A4C@core3.amsl.com> <416848.75882.qm__16525.0710481361$1302247955$gmane$org@web32314.mail.mud.yahoo.com> <87hba9b13i.fsf@latte.josefsson.org> <tsl4o684s5q.fsf@mit.edu> <754979.46407.qm@web32303.mail.mud.yahoo.com> <tslr59c3asv.fsf@mit.edu> <7EE86E89365CA94F8E7B8251F926071007AC12BC@CIO-KRC-D1MBX01.osuad.osu.edu>
Date: Fri, 08 Apr 2011 14:53:24 -0400
In-Reply-To: <7EE86E89365CA94F8E7B8251F926071007AC12BC@CIO-KRC-D1MBX01.osuad.osu.edu> (Scott E. Cantor's message of "Fri, 8 Apr 2011 17:44:37 +0000")
Message-ID: <tslipuo378b.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "kitten@ietf.org" <kitten@ietf.org>, Simon Josefsson <simon@josefsson.org>, Sam Hartman <hartmans-ietf@mit.edu>, Tim Showalter <timshow@yahoo-inc.com>
Subject: Re: [kitten] Fw: New Version Notification for draft-mills-kitten-sasl-oauth-02
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 18:51:46 -0000

>>>>> "Cantor," == Cantor, Scott E <cantor.2@osu.edu> writes:

    >> I think all you have to do is communicate the channel binding
    >> type you support.

    Cantor,> I think you mean "the type you used", at least based on my
    Cantor,> reading of GS2.

I do.

    Cantor,> On the general subject of tls-unique vs. endpoint, I had a
    Cantor,> brief conversation with Simon about it, and I think some
    Cantor,> clarification on how server applications would be expected
    Cantor,> to use tls-endpoint would be useful.

Probably.

    Cantor,> How is it expected that servers would distinguish clients

I'd expect that is what the SASL authentication is for.
(Note that HTTP is more complex; you need cookies or some other
distinguisher there).

In something like IMAP, at the end of SASL, we have:

1) Client did mutual auth with server. It knows that the server at the
other end of the TLS exchange with a given certificate is the party
named in the SASL exchange.
It knows that a particular TLS connection reaches that party.

2) Server knows that  the client is as named in the SASL exchange.
Server also knows that the client believes that the party identified by
the particular endpoint CB is the only party besides the client involved
in the TLS exchange.

One critical part of #2 is that if the client didn't confirm the channel
binding, the client would have given up rather than starting  the SASL
authentication.


Unless I'm missing something (wouldn't be the first time) I think 1 and
2 are sufficient for a non-HTTP use case.

v2.23.0 | Report a Bug | By Email