IETF Logo Mail Archive

Re: [kitten] sasl-oauth "user" as a kvpair or in the gs2 header?

Bill Mills <wmills@yahoo-inc.com> Tue, 04 March 2014 15:56 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9511A0154 for <kitten@ietfa.amsl.com>; Tue, 4 Mar 2014 07:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.32
X-Spam-Level:
X-Spam-Status: No, score=-16.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iTppGjhkL_d8 for <kitten@ietfa.amsl.com>; Tue, 4 Mar 2014 07:56:28 -0800 (PST)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by ietfa.amsl.com (Postfix) with ESMTP id C4C941A0141 for <kitten@ietf.org>; Tue, 4 Mar 2014 07:56:28 -0800 (PST)
Received: from GQ1-EX10-CAHT03.y.corp.yahoo.com (gq1-ex10-caht03.corp.gq1.yahoo.com [10.73.118.82]) by mrout3.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id s24Fu0m2075680 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <kitten@ietf.org>; Tue, 4 Mar 2014 07:56:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1393948560; bh=sf0gCdSvh1H6C3s63j+hPRlJb5loMc1Q32817yEH/FA=; h=References:Date:From:Reply-To:Subject:In-Reply-To; b=iqcVOheZDz7RN3HCx+oxg579zLybo3MaJJ42DduVrOmp2kyUNPSzNGNyWFPVzOqtP cxwOfRMBcjiGHSWdX5Nlavo7uyBKC4fMAaQtIODn2O6ekT5wDyGZh83u1qQzmvW1uB oLNGTuaA3t6Xo2xdrFTveeB4TZ0Y/4hKSmjfwRxE=
Received: from omp1012.mail.ne1.yahoo.com (98.138.87.12) by GQ1-EX10-CAHT03.y.corp.yahoo.com (10.72.228.24) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 4 Mar 2014 07:55:59 -0800
Received: (qmail 41781 invoked by uid 1000); 4 Mar 2014 15:55:58 -0000
Received: (qmail 75983 invoked by uid 60001); 4 Mar 2014 15:55:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1393948558; bh=HrGQLRIzGuqeB48Avainf8QOPi9Whjfsnhjyvo9x+78=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=AqMOPJr2Iyt48ZSc+JqB3gUAOjc546qU/WAEN3DAFrvtEgNpRW0/VreKbdxic2VFxeX1bBsHdtnAhR6wf2gSFW+Eu5haBXXRW4mi9baYH05XNgP1uBqIiQ3ZUkbBobjh1QuLjLCLIn3xMJWhEk35xMat1rGEUNgyFFrreMF4kwU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=O1hqmWz5j4D6JppfYcLfofuPyP3C9DrFV5k9LFkZNdw1717aDsqlQy3TExOenvMXKCW2IXHrc8L5qojOKoVVL3aSZMBUms+uA7dN50NPzqEvDlFK7RFYxq/RI24vD5uS/jFa0Xx1Fuz3NnaJ1pF5bp48dqhz63utChtIFLq0A0s=;
X-YMail-OSG: M_T3jA0VM1kaVi8qrbL3sL77864FNW944V5FwoXSP8.EPf4 G1Aoe0eM7znO3INJ9ClLjMyd2lItWN9SgZ7JmUiIfw2WL2RLMeF.NLfNCKml _CcfUt.WrFtCR9Vuj1MCGYtE99wm6zmcudsjWtvDLOUc5kJwBZNFcXwjr6.p dEMqwL9eYhjCDTD8O0x.vQd3C2aY9M9GZ4eYvGo0nm0LEnIiv.1tex27EcLJ 333OcyvWZ8T2so3jFYwopuLS4cTkcHnv490F2039LyBk6Z9fHnqm0K_9NSLE PjtEyqi0p4Lyi.djRfvVmN9KurwayVzC4yTiOtQ--
Received: from [31.133.164.44] by web125602.mail.ne1.yahoo.com via HTTP; Tue, 04 Mar 2014 07:55:58 PST
X-Rocket-MIMEInfo: 002.001, CgpJdCBpcyBub3QgdXNlZCBhcyBhIFNBU0wgaWRlbnRpdHkuwqAgUXVvdGluZyBmcm9tIC0wMyBhbmQgLTE0IGluIHByb2dyZXNzOgoKInVzZXIgKFJFUVVJUkVEKToKCkNvbnRhaW5zIHRoZSB1c2VyIG5hbWUgYmVpbmcgCmF1dGhlbnRpY2F0ZWQuICBUaGUgc2VydmVyIE1BWSB1c2UgdGhpcyBhcyBhIHJvdXRpbmcgb3IgZGF0YWJhc2UgbG9va3VwIApoaW50LiAgVGhlIHNlcnZlciBNVVNUIE5PVCB1c2UgdGhpcyBhcyBhdXRob3JpdGF0aXZlLCB0aGUgdXNlciBuYW1lIE1VU1QgYmUgYXNzZXJ0ZWQgYnkgdGgBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.177.636
References: <1393869321.174.YahooMailNeo@web125602.mail.ne1.yahoo.com> <tslr46j2kbm.fsf@mit.edu> <1393875779.29082.YahooMailNeo@web125604.mail.ne1.yahoo.com> <tsld2i21j7u.fsf@mit.edu> <1393926562.54403.YahooMailNeo@web125603.mail.ne1.yahoo.com>
Message-ID: <1393948558.69282.YahooMailNeo@web125602.mail.ne1.yahoo.com>
Date: Tue, 04 Mar 2014 07:55:58 -0800
From: Bill Mills <wmills@yahoo-inc.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <1393926562.54403.YahooMailNeo@web125603.mail.ne1.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1088529044-1026665938-1393948558=:69282"
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 948560000
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/pb9rgZ2izOV5VHEesrNtIEXCX3M
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] sasl-oauth "user" as a kvpair or in the gs2 header?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 15:56:30 -0000


It is not used as a SASL identity.  Quoting from -03 and -14 in progress:

"user (REQUIRED):

Contains the user name being 
authenticated.  The server MAY use this as a routing or database lookup 
hint.  The server MUST NOT use this as authoritative, the user name MUST be asserted by the OAuth credential."
 
Also, looking at the Google API docs for XOAUTH2, they implemented based on the -03 spec and have the "user=$username" syntax.  See https://developers.google.com/gmail/xoauth2_protocol 

Based on Google's server API and the extant clients they have I'd like to ask for a consensus call on the following:

1) Add the -03 "user" kvpair back into the spec.

a) YES or b) NO.  

2) Should we include a GS2 header"

a) No, let's wait for the GS2 update that deals with things that lack mutual auth and then write a spec that defines a GS2 header for SASL+OAUTH.

b) Change the definition of "key" in kvpair to 1*(ALPHA / ",").  This makes a GS2 header followed by a ^A (i.e. "n,a=user@example.com^A") a valid kvpair which would be ignored by servers that don't understand it. 

c) Define a stub OPTIONAL GS2 header explicitly.

d) Include a fully
 defined GS2 header (language from draft -10).


My own feedback is 1: YES, 2: a or b.


-bill



--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!





On Tuesday, March 4, 2014 12:06 AM, Sam Hartman <hartmans-ietf@mit.edu> wrote:
 
t's discuss Thursday.
I'd like to understand what the user= value signifies and whether it's
actually a SASL authorization identifier.

I'd like to understand whether there's value in an unprotected SASL
authorization identifier.

v2.30.2 | Report a Bug | By Email | System Status