IETF Logo Mail Archive

Re: [kitten] SASL OAuth: Next Steps

William Mills <wmills@yahoo-inc.com> Tue, 24 January 2012 07:10 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF9021F85FD for <kitten@ietfa.amsl.com>; Mon, 23 Jan 2012 23:10:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.397
X-Spam-Level:
X-Spam-Status: No, score=-16.397 tagged_above=-999 required=5 tests=[AWL=-0.658, BAYES_20=-0.74, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Oyu-exCMfE3 for <kitten@ietfa.amsl.com>; Mon, 23 Jan 2012 23:10:31 -0800 (PST)
Received: from nm10.bullet.mail.bf1.yahoo.com (nm10.bullet.mail.bf1.yahoo.com [98.139.212.169]) by ietfa.amsl.com (Postfix) with SMTP id BB1C121F85F7 for <kitten@ietf.org>; Mon, 23 Jan 2012 23:10:30 -0800 (PST)
Received: from [98.139.212.146] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 24 Jan 2012 07:10:01 -0000
Received: from [98.139.212.237] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 24 Jan 2012 07:10:01 -0000
Received: from [127.0.0.1] by omp1046.mail.bf1.yahoo.com with NNFMP; 24 Jan 2012 07:10:01 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 357856.72253.bm@omp1046.mail.bf1.yahoo.com
Received: (qmail 82872 invoked by uid 60001); 24 Jan 2012 07:10:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1327389000; bh=s3t8q61UbalFX34TXMAbLm3iXkFdxpVJqW0IAKzmtNg=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=nMTyb31M6CBaYK1VJzdoKZDwsDvJiRGOA564fO8w6mTse7KZEAV1nOTMCkz+ZO8vBebmfxy0tcDcvrPlJsDS5shpJG901h6g5qaJ4c/njyuMH/l27aHSOrESM0tpGYodCNcMn2avi4/9YAI87/RGw+z4sA9sBhfZ5HtHCTkmueo=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=B7RQNtQIjMX72ypigjn6FkSteMgDYTWTHV8S6Unw9wpOn57smGqQUHnMpp5w2xsSZA3Yn5MVbeBlVltr6LNLRbSc3lyJ1+/JQ+4EvFkvVZWo3QldobGpKgESaB8NuCe602Tv5FsDAOi2Az4yslBb0q0fgkKIUnAfLW+Ah06SPXc=;
X-YMail-OSG: eb5sbyoVM1lCe9xml65rnvJjzPI52b.BjhFdBo9Hb6aOzge LpYv9nvO20Ju1MhZh38Fa1O.6aAW_H8BQYfTyivXWAE7byh_8AMsKr_1rKP4 D4b_5tq0AD8CDhOPS9pdRzoeDOiKpiDVeD3k4MbG7Kl1q2b7OSAaFJ3hZmWx djUS0iwBF4qDnWeXThbpthaHZD95kWykQNqMCuwG8LyFVVh4jvoEhMtFmsC9 K.G4ewLyxgZNmccMiaO4_lo4orxOUDbk8TpijJRWx4hp7lanjC2i8fG0BVnU K4If6EQu0f9hLqFyXzftqD7KPXtq8a5UJ5GdteCyJ6RnQkMJL6BJDhCvu9cM .3srgtpujQE0TQ3ijc18wC2A1MCRpJybB58on2GxfBlUgo96ADvz837Aghdm IL9gAD2GR8yKo2TLI.UfEWWyWAh4kQUuS_5jH6K59OrSpq_6ftIY-
Received: from [209.131.62.115] by web31807.mail.mud.yahoo.com via HTTP; Mon, 23 Jan 2012 23:10:00 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.338427
References: <999913AB42CC9341B05A99BBF358718DE38797@FIESEXC035.nsn-intra.net> <4F04E442.4000702@yahoo-inc.com> <C0B5568F50F6582F8EE6E4BA@96B2F16665FF96BAE59E9B90> <8762gqev30.fsf@windlord.stanford.edu> <4F06183B.4010401@yahoo-inc.com> <1325808084.1216.YahooMailNeo@web31812.mail.mud.yahoo.com>
Message-ID: <1327389000.74641.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Mon, 23 Jan 2012 23:10:00 -0800
From: William Mills <wmills@yahoo-inc.com>
To: William Mills <wmills@yahoo-inc.com>, Tim Showalter <timshow@yahoo-inc.com>, Russ Allbery <rra@stanford.edu>
In-Reply-To: <1325808084.1216.YahooMailNeo@web31812.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-125733401-1741771676-1327389000=:74641"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SASL OAuth: Next Steps
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 07:10:32 -0000

I've been thinking about this quite a bit, and Tim's rebuke to me privately that I really should think about JSON seriously before dismissing the idea because HTTP really is harder to parse than I think it is struck home.

I'm still stuck on the fact that I think the HTTP we have to parse in the client for the mechanism to work is all OAuth 2 protocol 
or defined in the mechanims (discovery) so it's more limited.  On the server side it's very limited, only enough to figure out the discovery.  So I don't think the HTTP here is that scary. The actual HTTP we have to parse for the mechanism to work on the server side is mimimal, and well defined.  Am I wrong?


SO.... I'm trying to figure out how this would work and what we'd need to do in order to make JSON work instead of HTTP as the authentication message format.  My assumptions are:
  

-    We're passing the Auth header in to a library, the SASL mechanism itself doesn't need to parse it.


We need to support right now for the profiles I know about:

-    The user name and host name for discovery
-    The port number for things like MAC authentication
-    the Authorization header payload
-    discovery information for return to the client


It's possible we'll also need to pass in:

-    The HTTP POST payload for profiles that require it (though I was assuming GET only initially)
-    Something else I'm forgetting about... or for extension flexibility?


In the end I'm presuming we're passing all the real HTTP into a library that will understand it anyway (which is how my initial implementation is working) so we don't need to dive down into the header and POST body payload in the JSON. If this is right then the JSON doesn't look that hard, but then again if what I have above is correct then we're not talking about a general use HTTP parser either.


The OAuth 1.0a library I was playing with for this consumes and gives back the entire Auth header, but I don't know if that design pattern is common.

Where do we go from here?

-bill







________________________________
 From: William Mills <wmills@yahoo-inc.com>
To: Tim Showalter <timshow@yahoo-inc.com>; Russ Allbery <rra@stanford.edu> 
Cc: "kitten@ietf.org" <kitten@ietf.org> 
Sent: Thursday, January 5, 2012 4:01 PM
Subject: Re: [kitten] SASL OAuth: Next Steps
 

Yeah, I really hate this.

There's stuff in the MAC token spec for example that requires knowing the URL path, fragments, hostname, etc., and so we have to include every element form HTTP that might be required for any OAuth (HTTP based itself) authorization scheme.  This means we have to write an entire mapping grammar for an entire HTTP payload into JSON.

While I agree that HTTP is non-trivial to parse, I don't think it's compelling enough for me to like the change to JSON because there are enough HTTP parsing libraries out there that an implementer should not have to do their own, they should pull one in.
As I said before, designing this in a vacuum HTTP is far down the list, but I think in light of the fact that we're bridging from something that *is* HTTP it is less complex overall to stay consistent.



-bill



________________________________
 From: Tim Showalter <timshow@yahoo-inc.com>
To: Russ Allbery <rra@stanford.edu> 
Cc: "kitten@ietf.org" <kitten@ietf.org> 
Sent: Thursday, January 5, 2012 1:38 PM
Subject: Re: [kitten] SASL OAuth: Next Steps
 
On 1/4/12 6:34 PM, Russ Allbery wrote:
> Chris Newman<chris.newman@oracle.com>  writes:
>> Having a SASL parser call out to a header parser would be poor security
>> design, because every line of code is an additional potential security
>> vulnerability (especially prior to authentication) and a lot of code is
>> needed for a 100% correct header parser. So I think it's actually
>> important for a SASL mechanism to not accept arbitrary header syntax.
> 
> Based on my experience writing netnews implementations, which use RFC 5322
> header field syntax very akin to the HTTP header field syntax, I
> completely concur with Chris's reaction.  The header field syntax is
> surprisingly complex, particularly in the presence of encoding and
> character set issues, and most
 implementors do not implement it properly.

I'm really sorry to hear that -- I suspect you're right, and I don't like it.  I think trying to constrain JSON and define the mappings is going to be a lot of work.

Is there a simple way to specify a general mapping?  Or are we going to have to do this on a per-header basis?

Tim
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten



_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

v2.43.4 | Report a Bug | By Email | System Status