Re: [kitten] Updating OAuth SASL
William Mills <wmills@yahoo-inc.com> Fri, 23 November 2012 00:17 UTC
Return-Path: <william_john_mills@yahoo.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8D421F850A for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 16:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.045
X-Spam-Level:
X-Spam-Status: No, score=-17.045 tagged_above=-999 required=5 tests=[AWL=0.553, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+yuVpHrs8IU for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 16:17:18 -0800 (PST)
Received: from nm23-vm2.bullet.mail.ne1.yahoo.com (nm23-vm2.bullet.mail.ne1.yahoo.com [98.138.91.211]) by ietfa.amsl.com (Postfix) with ESMTP id D950A21F8466 for <kitten@ietf.org>; Thu, 22 Nov 2012 16:17:17 -0800 (PST)
Received: from [98.138.90.54] by nm23.bullet.mail.ne1.yahoo.com with NNFMP; 23 Nov 2012 00:17:12 -0000
Received: from [98.138.226.162] by tm7.bullet.mail.ne1.yahoo.com with NNFMP; 23 Nov 2012 00:17:11 -0000
Received: from [127.0.0.1] by omp1063.mail.ne1.yahoo.com with NNFMP; 23 Nov 2012 00:17:11 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 909144.40034.bm@omp1063.mail.ne1.yahoo.com
Received: (qmail 1097 invoked by uid 60001); 23 Nov 2012 00:17:11 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1353629831; bh=6doFpyAC6ppZ1MMcRrCtbDdu9SsbFPSghbfGs6Dq8fQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=5jJ3PXxIqTiSwGgT9OBqzlHtGsWdFWuL7ij2F9R54J8IPoPLOTAbD0htDsSlq4U45Wp3pUUxu02mTxw15OxRMfQ4Xtkjz41ptj6fXOuM4/e3qmwoyijaFjmKelz5Cs5i+dEFXlY83/jg8rRR06/k5jFFop9uKWHYL10DZD/JUOs=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=owv/+ru815BXI9H9uH/TvYataUkHCwVeCGMneO/M1VNoVqRqyJJp/uIH63fy1ew5UTzKHfAMyTKwSYH6d5ubUqYGSgIjrGVS9gZPhlUXmPTvq1qbhSyEuCL6HuYOB6HM8iWfMPinXqyaotTsqBy2jCKGQBQbeMPR1sVe6SiNayk=;
X-YMail-OSG: p6TrsnEVM1nJqYQnanvQkRCeE2_r_Q9P0R._B1TEIiV5GB. TIjOb7zqr_sGvgMSuVWXt8KxcDVHRKAFD0wLn3.kBDVFzzBAwOQQyVsxsPRX 2i_QRZirGWe6WCaNjRsYNXo_0LlkwpUpQuOq.QaYZRhEzkMjQ7IJsJ4idA8Z SDa0mWh96nnj6p5FnrHhInV2hxRq_gs_KnOWpxCChQL6259aZyZB5Em0iBa3 vMMyY8QQlkqEsCPecY8IKxO15_qPjVyeB4fwzPZqSa4z4caGQB5Q_XUgpOhY 4kfnEVMk5WVOUxwE0A4JwlmTvUh7SAAYjl13q8uXCxNEUlssTUVx4kT4WAeU cSOITVG8MRKcNcQJ3UO5jlOI0Sz_60w6r5m0.l5QlmvClyd4H3V39n2SaJ9Q Fy0i1m0hYDOg7HNRiWK..W7nAlH2IjO35LAhr8zyin7p09aq4zm9_ECImNjq wXDLbWqpNeTzqXEii4vpulyqi5kNRXa.gomJ9XzMGXzeLPiv63igUQ7KvmQm M6IJpNAZ37SV1twotDgwkJxHunNLKvmrD8JgnNUm3WE8v61arb4IYmzsO2kH T4PNQgFDNEzVMJ.03gVzJKXswZgL_8Lu5xVIFxybK9aUPmURKf3QVljPk_Ij .4esqbo23b1pKq.23cPoHfA--
Received: from [99.31.212.42] by web31801.mail.mud.yahoo.com via HTTP; Thu, 22 Nov 2012 16:17:11 PST
X-Rocket-MIMEInfo: 001.001, Tm93aGVyZSBpbiBPQXV0aCBkbyB3ZSB0YWxrIGFib3V0IG5vcm1hbGl6aW5nIG9yIGNhbm9uaWNhbGl6aW5nIG5hbWVzIElJUkMsIHNvIHRoZXJlJ3MgYXQgbGVhc3Qgb25lIHdheSB0aGlzIHdvbid0IHdvcmsuwqDCoCBJIGtub3cgd2hhdCBwcm9ibGVtIEkgd2FzIHRyeWluZyB0byBzb2x2ZSB3aXRoIHRoYXQgbGFuZ3VhZ2UsIEkgZG9uJ3Qgc2VlIGhvdyB0aGlzIGxhbmd1YWdlIHNvbHZlcyB0aGUgcHJvYmxlbS7CoCBQZXJoYXBzIGl0IGRvZXNuJ3QgbmVlZCBzb2x2aW5nLCBJIGNvdWxkIGJlbGlldmUgdGgBMAEBAQE-
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.127.475
References: <841A324B-C22C-4FB6-9D62-9CF0430BD940@gmx.net> <1353372782.48256.YahooMailNeo@web31804.mail.mud.yahoo.com> <E53F19E5-1665-4D0F-8C78-168081B29833@gmx.net>
Message-ID: <1353629831.97525.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Thu, 22 Nov 2012 16:17:11 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <E53F19E5-1665-4D0F-8C78-168081B29833@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-368338466-1335605788-1353629831=:97525"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Updating OAuth SASL
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2012 00:17:21 -0000
Nowhere in OAuth do we talk about normalizing or canonicalizing names IIRC, so there's at least one way this won't work. I know what problem I was trying to solve with that language, I don't see how this language solves the problem. Perhaps it doesn't need solving, I could believe that. I think we need to define a way for the server to get (or derive by DB lookup for example) the identity out of the token, and we should also define how a server might get the client identity. Since nothing in the token is defined as usable for display the current text also addresses that by adding it as a requirement. How does the proposed language solve these things? -bill >________________________________ > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> >To: William Mills <wmills@yahoo-inc.com>; Alexey Melnikov <alexey.melnikov@isode.com> >Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; kitten@ietf.org >Sent: Thursday, November 22, 2012 6:38 AM >Subject: Re: [kitten] Updating OAuth SASL > >Hi Bill, Hi Alexey, > >I am wondering whether we couldn't just re-use the text we have in the SASL OpenID specification. >Here is the relevant text from Section 4.1 of RFC 6616: > >---- > >4.1. GSS-API Principal Name Types for OpenID > > OpenID supports standard generic name syntaxes for acceptors such as > GSS_C_NT_HOSTBASED_SERVICE (see Section 4.1 of [RFC2743]). > > OpenID supports only a single name type for initiators: > GSS_C_NT_USER_NAME. GSS_C_NT_USER_NAME is the default name type for > OpenID. > > OpenID name normalization is covered by the OpenID specification; see > Section 7.2 of [OpenID]. > > The query, display, and exported name syntaxes for OpenID principal > names are all the same. There are no OpenID-specific name syntaxes > -- applications should use generic GSS-API name types such as > GSS_C_NT_USER_NAME and GSS_C_NT_HOSTBASED_SERVICE (see > Section 4 of [RFC2743]). The exported name token does, of course, conform to > Section 3.2 of [RFC2743], but the "NAME" part of the token should be > treated as a potential input string to the OpenID name normalization > rules. For example, the OpenID Identifier "https://openid.example/" > will have a GSS_C_NT_USER_NAME value of "https://openid.example/". > > GSS-API name attributes may be defined in the future to hold the > normalized OpenID Identifier. > >------- >Of course instead of talking about OpenID identifiers (as URIs) we would be talking about resource owner identifiers, for example, the "Principal" defined in Section 4.1.6 of JWT (in case a JSON-based structure is used to encode information, as it was done with OpenID Connect). Note that the JWT spec does not define the syntax of the principal identifier. > >Section 3.2.1 and Section 3.2.2 of the current OAuth SASL draft would be impacted. > >Does this sound reasonable? > >Ciao >Hannes > >On Nov 20, 2012, at 2:53 AM, William Mills wrote: > >> We can strike that second sentence if you want, it was there to try to clarify, and if it's not doing that kill it. >> >> >> From: Hannes Tschofenig <hannes.tschofenig@gmx.net> >> To: kitten@ietf.org >> Sent: Sunday, November 18, 2012 11:43 PM >> Subject: [kitten] Updating OAuth SASL >> >> Hi all, >> >> I have incorporated Alexey's comments into the draft and also my own earlier review comments. >> Here is the current snapshot: >> https://github.com/hannestschofenig/tschofenig-ids/blob/master/sasl-oauth/draft-ietf-kitten-sasl-oauth-09.txt >> >> There is one issue that Alexey raised, which I still have to understand better myself, namely: >> >> ----- >> >> 3.2.2. Canonicalization >> >> The identity asserted by the OAuth authorization server is canonical >> for display. The server MAY provide a different canonical form based >> on local data. >> >> I don't understand the second sentence. SASL server? How can it do that? >> >> ------ >> >> Ciao >> Hannes >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten >> >> > > > >
- [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL Alexey Melnikov
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig