IETF Logo Mail Archive

Re: [kitten] WGLC of draft-ietf-kitten-sasl-oauth-18

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 01 January 2015 17:41 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D579B1A1E0B for <kitten@ietfa.amsl.com>; Thu, 1 Jan 2015 09:41:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBCThX-oBfLU for <kitten@ietfa.amsl.com>; Thu, 1 Jan 2015 09:41:46 -0800 (PST)
Received: from waldorf.isode.com (ext-bt.isode.com [217.34.220.158]) by ietfa.amsl.com (Postfix) with ESMTP id 36CA11A1BFE for <kitten@ietf.org>; Thu, 1 Jan 2015 09:41:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1420134104; d=isode.com; s=selector; i=@isode.com; bh=v9XYc5nDZU0PU/QUYjyDsbyc6Cq5nqHvkj+rg95knNo=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Or4R0NhjyP6og2xoZO2LOvBwMe8wOLEjYqi5tjehjARbWr4WNH/jK7j29x22pzSZeQauSH REghQw5dLcM1XQrIis8g0NSfXG8RDWFO9M82MLbAnAbnP1Y4ZWXoWTibNeLYMIqc+7f16A E4eLP6dDULqtPibvMwNnUteLx01jfs8=;
Received: from [10.0.0.111] ((unknown) [213.83.78.110]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <VKWG1gAKaGCw@waldorf.isode.com>; Thu, 1 Jan 2015 17:41:43 +0000
X-SMTP-Protocol-Errors: NORDNS PIPELINING
From: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: iPad Mail (12B435)
In-Reply-To: <alpine.GSO.1.10.1412311426270.23489@multics.mit.edu>
Date: Thu, 01 Jan 2015 17:46:15 +0000
Message-Id: <3D9D6627-F6B2-456C-9C24-F224989B1979@isode.com>
References: <alpine.GSO.1.10.1412151142560.23489@multics.mit.edu> <alpine.GSO.1.10.1412311426270.23489@multics.mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="Apple-Mail-62F18AB0-42C9-449A-9E7B-F33B08CDF829"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/rbGTXBbMqHKq2UA2Wz5MSwxH5gs
Cc: "kitten@ietf.org" <kitten@ietf.org>, "kitten-chairs@tools.ietf.org" <kitten-chairs@tools.ietf.org>
Subject: Re: [kitten] WGLC of draft-ietf-kitten-sasl-oauth-18
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jan 2015 17:41:49 -0000

> On 31 Dec 2014, at 19:27, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> We've gotten some "looks good"s on the oauth list, for those only on
> kitten@.
> 
> Just under two weeks remain in the last call period.

I generally think that the document has improved recently and it is very close to being done. But I think examples in particular need to be fixed (and I am sorry if I sound like a broken record on this, but I believe that examples are very important, as some people will just code based on them).

In 3.1:

key = 1*(ALPHA / ",")

So the key can be a single comma character, right?
client_resp    = (gs2-header kvsep 0*kvpair kvsep) / kvsep

Did you mean that the whole client response can be just a single separator character? I think this is not compatible with GS2 framing. If you only meant to allow that for failed authentication, I suggest you add a comment and point to section 3.2.3.
In 3.2:

Nit:
 Note that the semantics of the authz-id is specified by
   the SASL framework [RFC4422].
If this is the same as "authzid" introduced in section 3.1, then you should remove dash. (I was wondering if this is something else). But I think expanding this to be "authorization identity" would be better.

In 3.2.2:
oauth-configuration (OPTIONAL):  The URL for for a document
         following the OpenID Provider Configuration Information schema
         as described in OpenID Connect Discovery
I think it would help to clarify that the returned value is always an https (or http?) URI. If that can be something else, saying that would be great too.

In 3.2.3:

I think you don't need to have an explicit message to cancel authentication, you can just use the SASL framework facility for this. In IMAP that would be emitted as "*\r\n".

In particular, I think Cyrus SASL based implementations can handle "here is some data from the server, but this step produces failure on the client side, so the client need to cancel the exchange" just fine.

In 4.1:

I think you need to explain that the example is only valid in the presence of SASL-IR capability (and add an Informative reference), because the initial client response parameter to AUTHENTICATE is only allowed when SASL-IR is advertised. Or you can just use an SMTP example here.


Examples in 4.1, 4.3 and 4.4 don't show negotiation of TLS, which is a MUST level requirement for AUTHBEARER SASL mechanism (as per section 5), so you should fix examples to advertise STARTTLS capability and show use of STARTTLS command.

If you would like me to provide full examples, let me know and I do that.

> 
> -Ben
> 
>> On Mon, 15 Dec 2014, Benjamin Kaduk wrote:
>> 
>> This message begins the fourth Working Group Last Call (WGLC) of "A set of
>> SASL Mechanisms for OAuth" <draft-ietf-kitten-sasl-oauth-18.txt>.  Due to
>> the overlap of the last call period with holidays, the duration of the
>> WGLC is extended to four weeks, so the WGLC will end on 12 January 2015.
>> The draft is available at:
>> 
>> https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-18
>> 
>> Because the changes between -15 and -18 involve behavior changes,
>> including changes regarding discovery and dynamic registration, the Chairs
>> decided to issue an additional last call.
>> 
>> Please review the document and send comments to the Working Group
>> mailing list < kitten at itef.org > or the co-chairs < kitten-chairs
>> at tools.ietf.org > before the end of the WGLC.  Any and all comments
>> on the document are sought in order to access the strength of
>> consensus.  Even if you have read and commented on this or earlier
>> versions of the draft, please feel free to comment again.  This is
>> particularly important if you found issues with the previous version.
>> 
>> As a reminder, comments can be anything from "this looks fine" to
>> "this is a horrible idea"; they can include suggestions for minor
>> editorial corrections to significant editorial changes.
>> 
>> 
>> - Your Kitten Chairs
>> 
>> _______________________________________________
>> Kitten mailing list
>> Kitten@ietf.org
>> https://www.ietf.org/mailman/listinfo/kitten
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email