IETF Logo Mail Archive

Re: [kitten] -06 posted Re: requirements/context/frustration Re: Comma vs. %x01 Re: OAuth SASL draft -05

Simon Josefsson <simon@josefsson.org> Tue, 04 September 2012 07:20 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA4921F84F6 for <kitten@ietfa.amsl.com>; Tue, 4 Sep 2012 00:20:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Si9zIBP26wXc for <kitten@ietfa.amsl.com>; Tue, 4 Sep 2012 00:20:37 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id B504621F8470 for <kitten@ietf.org>; Tue, 4 Sep 2012 00:20:35 -0700 (PDT)
Received: from latte (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q847KQk3019999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 4 Sep 2012 09:20:28 +0200
From: Simon Josefsson <simon@josefsson.org>
To: William Mills <wmills@yahoo-inc.com>
References: <1346084466.40894.YahooMailNeo@web31806.mail.mud.yahoo.com> <CAK3OfOiPB2AzW=dRca+OfV2SRi5v6o6mFAtibrjSrq+nO_+csQ@mail.gmail.com> <1346340420.52884.YahooMailNeo@web31816.mail.mud.yahoo.com> <1346377509.19979.YahooMailNeo@web31811.mail.mud.yahoo.com> <CAK3OfOgvWCCyyFtC7UuSD5S88K_Y8NsTMSS0evcNYZO6QZw01Q@mail.gmail.com> <1346392832.58517.YahooMailNeo@web31806.mail.mud.yahoo.com> <CAK3OfOiX4dVASqYRpQHTC3xovUoEZwo37=TBiOay_i=zzdDTNA@mail.gmail.com> <1346423716.90231.YahooMailNeo@web31812.mail.mud.yahoo.com> <CAK3OfOhb76+mfu0YacceE8KKDwOY5YHjm7iA_ARa+BmQjr6SvA@mail.gmail.com> <1346425705.73062.YahooMailNeo@web31807.mail.mud.yahoo.com> <CAK3OfOg=6naxUUDNqrd3DLWJXCGrqtv99b5MqbBonmfRWHthGQ@mail.gmail.com> <1346427940.66948.YahooMailNeo@web31806.mail.mud.yahoo.com> <CAK3OfOjUA7cBn9PScxrt2RatbgOoHX1CAiNBwU9HvWZtszmnsg@mail.gmail.com> <1346428901.34367.YahooMailNeo@web31812.mail.mud.yahoo.com> <CAPe4CjrrHXu9e2W=8xZZ442oViw6sBLy5htuPsbLxJNH23eO-g@mail.gmail.com> <CAK3OfOjTMooF4PPYpoDSuju7+XgAscbv+sYuuoGETrNbPuO7iQ@mail.gmail.com> <3008858F-8BF8-487F-B5EB-B3EB0D0BD35F@padl.com> <1346460964.79308.YahooMailNeo@web31805.mail.mud.yahoo.com> <1346476111.52370.YahooMailNeo__8449.33422417871$1346476132$gmane$org@web31811.mail.mud.yahoo.com> <87bohnwmca.fsf@latte.josefsson.org> <1346710108.6729.YahooMailNeo__16099.967438686$1346710121$gmane$org@web31804.mail.mud.yahoo.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:120904:kitten@ietf.org::YYvlV73Tz/S09Pm4:50BI
X-Hashcash: 1:22:120904:wmills@yahoo-inc.com::r0oURDa9sSSFqgJt:qor1
Date: Tue, 04 Sep 2012 09:20:24 +0200
In-Reply-To: <1346710108.6729.YahooMailNeo__16099.967438686$1346710121$gmane$org@web31804.mail.mud.yahoo.com> (William Mills's message of "Mon, 3 Sep 2012 15:08:28 -0700 (PDT)")
Message-ID: <87mx16s18n.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] -06 posted Re: requirements/context/frustration Re: Comma vs. %x01 Re: OAuth SASL draft -05
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2012 07:20:37 -0000

William Mills <wmills@yahoo-inc.com> writes:

>>3.1.  Initial Client Response
>>
>>   [...] The client MUST send an authorization ID in the gs2-header.
>>
>>Is this MUST intentional?  Normally authorization identities are not
>>asserted in SASL so this would be unusual.  I would remove this
>>sentence.
>
> Yes, because we want to have the plain text username available.

The SASL framework doesn't have any concept of usernames, so if you want
to transfer a "username" from the client to the server you need a
separate field for that in the mechanism.  SCRAM does this, so that is
an acceptable route.  However, I'm not certain you actually mean
"username" here.  Maybe you really mean authorization identity?  Or do
you mean the authentication identity?  Sometimes usernames and
authentication identities are used interchangeable but I'm not certain
this is the case here.

The SASL framework says the authzid is optional and that it is asserted
by the client application.  It shouldn't be used for something mechanism
internal.

I'll see if I can re-read Ryan's motivation for the username field.  I'm
thinking that perhaps he is really after an authzid field, and if the
authzid field is not present, he has to guess which authorization
identity is intended (or fail if he cannot guess).  I believe this usage
would be in line with the SASL model, although would require some user
training because users normally doesn't specify an authzid.  That's fine
though.  This approach is consistent with the protocol syntax in -06,
but the text describing how the syntax should be used is a bit off
currently.  So I don't think you actually want a username field, just
fix some text.

>>3.2.1.  Mapping to SASL Identities
>>
>>   Some OAuth mechanisms can provide both an authorization identity and
>>   an authentication identity.  An example of this is OAuth 1.0a
>>   [RFC5849] where the consumer key (oauth_consumer_key) identifies the
>>   entity using the token which equates to the SASL authentication
>>   identity, and is authenticated using the shared secret.  The server
>>   MAY use a consumer key, a value derived from it, or other comparable
>>   identity in the OAuth authorization scheme to allow SASL an
>>   authentication identity different from the authorization identity to
>>   be set.
>>
>>The OAuth 1.0a example in the second sentence seems to be missing
>>something: it describes how OAuth 1.0a provide an authentication
>>identity, but it does not describe how OAuth 1.0a provides for an
>>authorization identity as far as I can tell?  Adding a sentence after
>>the second, that describe how OAuth 1.0a provides an authorization
>>identity would help, and may help me understand the last sentence which
>>I can't understand the meaning of right now.
> The last sentence of 3.2 above 3.2.1 is "The authorization scheme MUST 
> carry the user ID to be used as the authorization identity (identity to 
> act as). The server MUST use the ID obtained from the credential as the 
> user being authorized."
>
> Should that sentence move into 3.2.1?

I must admit that the sentence doesn't make sense to me.

The (SASL) authorization identity should be transferred from client to
server without modification (modulo character set encodings).  It is
asserted by the client and consumed by the server.  Usually it is not
related to the credential type at all.

Thus, saying that another field in the credential MUST be used as the
SASL authorization identity seems quite far from how the SASL framework
is designed.  I don't see why you would design it this way -- it seems
overly complex for no gain that I have understood so far.

Hmm.  Perhaps at this point it would be more productive if one of us
usual GSSAPI/SASL suspects modify your draft into something that makes
sense in the GSSAPI/SASL model and then you can check if it works for
you in the OAuth world?

>>5.2.  OAuth 1.0a Authorization with Channel Binding
>>...
>>   y,a=user@example.com^A
>>...
>>
>>This uses a gs2-header cb-type of 'y' -- this seems wrong.  If channel
>>bindings are used (which is indicated by clients and servers having the
>>OAUTH10A-PLUS mechanism type available), the cb-type should be 'p' and
>>the cb type identifier should be present.  Recall the meaning of "y"
>>from RFC 5801:
>>
>
> I *KNEW* I had to have gotten something wrong in CB.  Will fix that.

Great.  I suggest to use the 'tls-unique' channel binding type, it is
what SCRAM and GS2 prefers, with a fallback to 'tls-server-end-point'.
Compare section 6.1 of RFC 5802.  You probably need a similar section in
this document.

/Simon

v2.23.0 | Report a Bug | By Email