[kitten] Feedback from IETF #83 on the OAUTH/SASL-KRB draft
William Mills <wmills@yahoo-inc.com> Wed, 04 April 2012 00:10 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 036D011E8074 for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 17:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.999
X-Spam-Level:
X-Spam-Status: No, score=-14.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlW9CuqCLn27 for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 17:10:41 -0700 (PDT)
Received: from nm39-vm6.bullet.mail.bf1.yahoo.com (nm39-vm6.bullet.mail.bf1.yahoo.com [72.30.239.150]) by ietfa.amsl.com (Postfix) with SMTP id 1803B11E8103 for <kitten@ietf.org>; Tue, 3 Apr 2012 17:10:40 -0700 (PDT)
Received: from [98.139.212.146] by nm39.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 00:10:40 -0000
Received: from [98.139.212.245] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 00:10:40 -0000
Received: from [127.0.0.1] by omp1054.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 00:10:40 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 566687.20862.bm@omp1054.mail.bf1.yahoo.com
Received: (qmail 96631 invoked by uid 60001); 4 Apr 2012 00:10:40 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1333498239; bh=TDO5f7SacwiSPwXe4GcBqElFo7VVheJDD+jSdFgRAwM=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=f0gdFwiB9be9p2knchqgA96SeUpBCH3QWcFJ8S4Os6tMeuhkpwMiyQ0Y2JCs5TFFBgb+ybDVbUZkfUsZ3CKhqeRxICI8UBVLoPgATRy8ROOwUIW/PBA0DSTBOPewa9QqgYIA69EJC+6iXfgNYofRhkvtUGr6N0K+EjhmLJ/A83U=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=DnlnsHcBgcs3PpSaSMj0yoN/YthONqAa5SCig+zmtQcLjhE2jjCEXatH3bmbib4MdsAyHcyVgZfMXLGGVLL04qG2ZSj+IpDT4je3DfUCwVLWMUG0SHlGZbk4Os5/O+p/veDOmf0yHzwaH5jAjwqsJgoznqUSwkXZQMd94+FfX9M=;
X-YMail-OSG: pRtVWLIVM1nsk3wjRThsk16MYHi6fh3F7SYHy5R8U3gwnde 99aKdTDt0ptSzU5J5KhyuTLAB.GaS64c7y9bOzTqP_OtAsb48RlVAs7TFA8Y uyGHyaMq2QiZKjXqezhQPQIQ.J4a5rTtJeFA5ECT4wugQasoLar6uQyzCKzv xuULKAmdBAcjQvL3w2Y5IgGtvqkhuMhhlFnbOmkNgUI6zFANGZ9C7KML8iOQ BtjDViHEgQdfZ9qK2iO2OdNqGcQ5vjJtrKSnbALbms.Bbd7mqdOTsu5InfyN lsuBLRkJl3_7IrwpV_X8yg3X0jY7JZUtZCTyN0w5EsRTuReM0.UmTxoHYxzv EHxS_qDZQaw5hxx8.EykAyDw0uJMjLOzNNQWl1QJLhGyca8IUMJo4fz32uwj fbAAyWWLR4wlTZAM_ejg6AdAJePFwnOl8z5.A1.9OBjMHzYypkQ1n.58GRkL ocVcyO7qlfsUsbmxzKnvEVO5MJhZDV9tt91PNV6G98DqmPxjEBv_32IVyC3x qpmOyT8Kkd9pOrHmtEBDsIwLvyIRO692BqbA3lmHYyoXc2tT4kFK6jdmg8x5 C7aiyY31eVsnRIrGfDresWJqOGpr4f_9DWv7zNtQEeN1Oo.g.T51vMtx26rk UI.iajDQQ2o1LMPyo40J1.WbJRaGSowXzTkPSaejnlHMqMmjjv3p44olvo1H CKxQCgjE2YMxPqrKxVKX51.usXH4wsjuI_Wm_sJ.Npg--
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Tue, 03 Apr 2012 17:10:39 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340979
Message-ID: <1333498239.81695.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Tue, 03 Apr 2012 17:10:39 -0700
From: William Mills <wmills@yahoo-inc.com>
To: "kitten@ietf.org" <kitten@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [kitten] Feedback from IETF #83 on the OAUTH/SASL-KRB draft
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 00:10:42 -0000
I went to IETF #83 specifically to get feedback (and I though a tentative decision) on the question of whether the SASL message format currently there which uses HTTP was a good idea or not. I did get a ton of good feedback in individual conversations, the conversation in the working group itself was a little less lively. From the WG meeting: - several folks promised to read deeper and bring comments back to the list. - Hannes' comment at the mic (my summary) was that given the many successful integrations against Google's XOAUTH that staying close to those has great value for getting successful uptake, and that adapting the code those clients use to new endpoints From general feedback from random folks: - Many folks said HTTP is in fact very hard to parse correctly if you have to parse it fully. - Some folks felt existing implementations close to a proposed spec are likely to add to successful adoption. - a few folks felt that it's reasonable to limit the stuff that actually has to be parsed. There are real difference between the complextity needed for XOAUTH and for the proposed OAUTH mechanism. XOAUTH does everything in the URL, where the OAUTH proposal I'll post here the Google XOAUTH SASL message format, and an example form the draft spec: From http://sites.google.com/site/oauthgoog/Home/oauthimap for XOAUTH: For example, before base64-encoding, the initial client request might look like this (with linebreaks added for clarity): (2-legged OAuth) GET https://mail.google.com/mail/b/someuser@example.com/imap/?xoauth_requestor_id=someuser%40example.com oauth_consumer_key="example.com", oauth_nonce="4710307327925439451", oauth_signature="75%2BB63NbW2GdDMaOCEd%2Fy%2Fb%2B0Qk%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1260933683", oauth_version="1.0" For the OAUTH mechanism a similar style signed request example is: GET / HTTP/1.1 Host: server.example.com User: user@example.com Authorization: MAC token="h480djs93hd8",timestamp="137131200", nonce="dj83hs9s",signature="YTVjyNSujYs1WsDurFnvFi4JK6o=" The OAUTH mechanism will require (as currently specified) parsing of a Host, User, and Authorization header. The path and query is actually ignored at present. Based on this message I'll be posing questions to the list. Regards, -bill
- [kitten] Feedback from IETF #83 on the OAUTH/SASL… William Mills
- [kitten] OAUTH/SASL... to HTTP or not to HTTP, th… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Nico Williams
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… Simon Josefsson
- Re: [kitten] Feedback from IETF #83 on the OAUTH/… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… William Mills
- Re: [kitten] OAUTH/SASL... to HTTP or not to HTTP… Matt Peterson