IETF Logo Mail Archive

Re: [kitten] sasl-oauth "user" as a kvpair or in the gs2 header?

Bill Mills <wmills@yahoo-inc.com> Tue, 04 March 2014 18:04 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7239E1A02BE for <kitten@ietfa.amsl.com>; Tue, 4 Mar 2014 10:04:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.62
X-Spam-Level:
X-Spam-Status: No, score=-15.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fu0YxyrhPNlA for <kitten@ietfa.amsl.com>; Tue, 4 Mar 2014 10:04:56 -0800 (PST)
Received: from mrout1-b.corp.bf1.yahoo.com (mrout1-b.corp.bf1.yahoo.com [98.139.253.104]) by ietfa.amsl.com (Postfix) with ESMTP id DAFC61A02B9 for <kitten@ietf.org>; Tue, 4 Mar 2014 10:04:55 -0800 (PST)
Received: from GQ1-EX10-CAHT16.y.corp.yahoo.com (gq1-ex10-caht16.corp.gq1.yahoo.com [10.73.119.197]) by mrout1-b.corp.bf1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id s249nOLL048280 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <kitten@ietf.org>; Tue, 4 Mar 2014 01:49:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1393926565; bh=B6JYUXZU4Nhc+UAq+l7NTxeLN6uL9k2DedHYLWsSFbk=; h=References:Date:From:Reply-To:Subject:In-Reply-To; b=uyzqvNFYBlnGIrz+lw4ksb+lXeRvUMC9k1F6vVHgmhtXthrH0e8l+WjaicbrU2KlV /2bkR6pzC9y9jnR/FOOodQiaGHZzc36LcJdhsmEelW9OHT6yBOoJBUjQtB7JEEZ/Rh 6C5kElY9zqqplc9H1M1+BnhX56MyRry8KvupM1HU=
Received: from omp1081.mail.ne1.yahoo.com (98.138.101.170) by GQ1-EX10-CAHT16.y.corp.yahoo.com (10.72.228.24) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 4 Mar 2014 01:49:23 -0800
Received: (qmail 1427 invoked by uid 1000); 4 Mar 2014 09:49:22 -0000
Received: (qmail 3744 invoked by uid 60001); 4 Mar 2014 09:49:22 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1393926562; bh=VdBYBb+EE9CFO674TpaFUAAYuxIAHVKz6JbwtxhdWjU=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=abeQwxFyTv0I5xkcY9V9FKSHH2wBzrKvibYbdLDyOTkvXKffSKSNT+wTgryYw3UbAYXbwURQRdOluaoCy9HmTnb2RkGO88GvdCvn8t6qvthp4IQCfw5EK2GUE8WJrO/DHuXx/jiLH6n8xnW8lsIYNvTGIRg0Aa52aBEEgC40AIg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=hah8x+CXgRBSXBkOJheoSdGn0QXDO/UjkuhlAU1L0OrppiglxcuOQtVJaFoJwWp3sso2mWheDp5qChNC7qa8DV2SIXesAkg0BPXgimdxfo/MlYTbsNVagljla66da5mQBxi0jphbKOO4qF80zr6ewDKosp3+oAW8Bw/TuvG2Ndk=;
X-YMail-OSG: ApNk2mIVM1kgcaAL7qLNRW.KQz3ts3fqKU_Bb0uKXVoVb8o kZRAXnP3Qngoe6paiGBvxZKSpSj7cqqh7.RkdLZ7OaUQFhdSIEYgiBPowi3f X8IJJMcdH0rUrt90WvOtGlUBJE5S.K9QAyJY1Ng_HSN2_dFiSQOZ.I82Kocs FdT2EqGgS5YqztsfOj_q9tVLv.zFmHP63ls0Fo7BZW2uI780RCRbIFU9A.Er YxB205yTqXHMcmkeH_g791dcVkuQpmyBt5Is2F5u7BbHXquF598aYN1vZeKQ 7b5oogg9Kccv7UWM2srgGqKUrnAAWeoiNRhHwOw--
Received: from [31.133.164.44] by web125603.mail.ne1.yahoo.com via HTTP; Tue, 04 Mar 2014 01:49:22 PST
X-Rocket-MIMEInfo: 002.001, CgpJdCBpcyBub3QgdXNlZCBhcyBhIFNBU0wgaWRlbnRpdHkuwqAgUXVvdGluZyBmcm9tIC0wMyBhbmQgLTE0IGluIHByb2dyZXNzOgoKInVzZXIgKFJFUVVJUkVEKToKCkNvbnRhaW5zIHRoZSB1c2VyIG5hbWUgYmVpbmcgCmF1dGhlbnRpY2F0ZWQuICBUaGUgc2VydmVyIE1BWSB1c2UgdGhpcyBhcyBhIHJvdXRpbmcgb3IgZGF0YWJhc2UgbG9va3VwIApoaW50LiAgVGhlIHNlcnZlciBNVVNUIE5PVCB1c2UgdGhpcyBhcyBhdXRob3JpdGF0aXZlLCB0aGUgdXNlciBuYW1lIE1VU1QgYmUgYXNzZXJ0ZWQgYnkgdGgBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.177.636
References: <1393869321.174.YahooMailNeo@web125602.mail.ne1.yahoo.com> <tslr46j2kbm.fsf@mit.edu> <1393875779.29082.YahooMailNeo@web125604.mail.ne1.yahoo.com> <tsld2i21j7u.fsf@mit.edu>
Message-ID: <1393926562.54403.YahooMailNeo@web125603.mail.ne1.yahoo.com>
Date: Tue, 04 Mar 2014 01:49:22 -0800
From: Bill Mills <wmills@yahoo-inc.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <tsld2i21j7u.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="933233344-217989408-1393926562=:54403"
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 926564002
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/obRKOCX0Us4E_9izK1j1Q6cbSVI
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] sasl-oauth "user" as a kvpair or in the gs2 header?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 18:04:58 -0000


It is not used as a SASL identity.  Quoting from -03 and -14 in progress:

"user (REQUIRED):

Contains the user name being 
authenticated.  The server MAY use this as a routing or database lookup 
hint.  The server MUST NOT use this as authoritative, the user name MUST be asserted by the OAuth credential."
 
Also, looking at the Google API docs for XOAUTH2, they implemented based on the -03 spec and have the "user=$username" syntax.  See https://developers.google.com/gmail/xoauth2_protocol 

Based on Google's server API and the extant clients they have I'd like to ask for a consensus call on the following:

1) Add the -03 "user" kvpair back into the spec.

a) YES or b) NO.  

2) Should we include a GS2 header"

a) No, let's wait for the GS2 update that deals with things that lack mutual auth and then write a spec that defines a GS2 header for SASL+OAUTH.

b) Change the definition of "key" in kvpair to 1*(ALPHA / ",").  This makes a GS2 header followed by a ^A (i.e. "n,a=user@example.com^A") a valid kvpair which would be ignored by servers that don't understand it. 

c) Define a stub OPTIONAL GS2 header explicitly.

d) Include a fully defined GS2 header (language from draft -10).


My own feedback is 1: YES, 2: a or b.


-bill



--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!





On Tuesday, March 4, 2014 12:06 AM, Sam Hartman <hartmans-ietf@mit.edu> wrote:
 
t's discuss Thursday.
I'd like to understand what the user= value signifies and whether it's
actually a SASL authorization identifier.

I'd like to understand whether there's value in an unprotected SASL
authorization identifier.

v2.30.2 | Report a Bug | By Email | System Status