Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-23.txt

Bill Mills <> Fri, 29 May 2015 16:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7086E1ACE45 for <>; Fri, 29 May 2015 09:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XDpytVAB-yy3 for <>; Fri, 29 May 2015 09:57:45 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24AE41ACE03 for <>; Fri, 29 May 2015 09:57:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1432918639; bh=sGTWYoig8CXWY6H/3WnOrxHix49oWJ77dNKmTY+b/kY=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=BrNNARRpZ2p+QyEBwI/w0npv6RZzE2HAsyL0aGbrRtIortv+FTH48azRTehqsv7A+mqyqSE9jSKMLckIXUsVxdKwVYqnxlcE+DQjXP0bTyUovaKdQTegv/+wkHdwi3DByenzRjEbN9GNnHmUKUq8Ukgcr6xUIaOFJmWBzS7aPHsdf8AavOv8n6+jP0uJKPSkNjD3Mv57Hmj3dTi+3pugKfwW0MpRBHrebvqQrppDgTTtZCbEQkDDgoru3+PU0AzU/L2HRySBtEuo6yaHqRDsSrYMlu+Yrxlo58rusGNdSayTTnm9bDEBKq2qk9nnjjeruC1wbIUG1p7y0RH8ueneIA==
Received: from [] by with NNFMP; 29 May 2015 16:57:19 -0000
Received: from [] by with NNFMP; 29 May 2015 16:54:18 -0000
Received: from [] by with NNFMP; 29 May 2015 16:54:18 -0000
Received: from [] by with NNFMP; 29 May 2015 16:54:18 -0000
Received: from [] by with NNFMP; 29 May 2015 16:54:18 -0000
X-Yahoo-Newman-Property: ymail-4
X-YMail-OSG: yeEu2osVM1kDttFH0__gn.g.XOhl56bulP.wvSXLvWICTzugfjMwYP.joGzKJTR RnBNAeu2Po8Wk08gXNlsZuHw8KJ_9w5wbDCKEAoOTB_5V2jF8zXeIeadbtxQ.WsngBjudiFgV.hE rSAzxdy._cdEUE.2SBYpAs1bs9dzoQ45sC9586X7FyXYqCicBNrQZhYy_2HtQlwzZ2tx.ankzgc_ KSkJnwjn_k78dhu1xg5tvoUtXfiO7HpS93mau6UzZBbsMqhldebM.f7V86K3CnDwmgFJ9gzdl3tY u9yz1KBSlc92fN21Ep4pvsCBw2iUxaNS0B4Ncef72A_3leoVPXOPo53GVjgTSZWB73LAuRNPHJJI nKQBc_m81io2Il5E54Oi6wmkmzd20xdq0rmWsF8uXrEMY7e9OsK3wL32wudFuWusy3bP74qG0PKR eDyb.pfqYKHZXpOdmSARzEMR1Rp7Gt4Dflp11EKiqKXXT2Drhp6vtZUg3A3LMjSECMBsb6eAsl3w JxniOOQtdxteXJ.h_3e3c
Received: by; Fri, 29 May 2015 16:54:18 +0000
Date: Fri, 29 May 2015 16:54:17 +0000
From: Bill Mills <>
To: "" <>, Stephen Farrell <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1500681_1641460419.1432918457532"
Archived-At: <>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-oauth-23.txt
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 May 2015 16:57:46 -0000

Incorporates IESG all pending review feedback. 

     On Friday, May 29, 2015 9:50 AM, "" <> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Common Authentication Technology Next Generation Working Group of the IETF.

        Title          : A set of SASL Mechanisms for OAuth
        Authors        : William Mills
                          Tim Showalter
                          Hannes Tschofenig
    Filename        : draft-ietf-kitten-sasl-oauth-23.txt
    Pages          : 24
    Date            : 2015-05-29

  OAuth enables a third-party application to obtain limited access to a
  protected resource, either on behalf of a resource owner by
  orchestrating an approval interaction, or by allowing the third-party
  application to obtain access on its own behalf.

  This document defines how an application client uses credentials
  obtained via OAuth over the Simple Authentication and Security Layer
  (SASL) to access a protected resource at a resource serve.  Thereby,
  it enables schemes defined within the OAuth framework for non-HTTP-
  based application protocols.

  Clients typically store the user's long-term credential.  This does,
  however, lead to significant security vulnerabilities, for example,
  when such a credential leaks.  A significant benefit of OAuth for
  usage in those clients is that the password is replaced by a shared
  secret with higher entropy, i.e., the token.  Tokens typically
  provide limited access rights and can be managed and revoked
  separately from the user's long-term password.

The IETF datatracker status page for this draft is:

There's also a htmlized version available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at

Internet-Drafts are also available by anonymous FTP at:

Kitten mailing list