Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-15

Benjamin Kaduk <kaduk@MIT.EDU> Mon, 08 September 2014 17:00 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C1C1A890B for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 10:00:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.954
X-Spam-Level:
X-Spam-Status: No, score=-3.954 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1-pONbOm8hE for <kitten@ietfa.amsl.com>; Mon, 8 Sep 2014 10:00:15 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B85E1A8904 for <kitten@ietf.org>; Mon, 8 Sep 2014 10:00:15 -0700 (PDT)
X-AuditID: 1209190c-f795e6d000006c66-ab-540de09d5a99
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 03.A4.27750.D90ED045; Mon, 8 Sep 2014 13:00:14 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s88H0DUY016833; Mon, 8 Sep 2014 13:00:13 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s88H0BGl020788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 8 Sep 2014 13:00:12 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s88H0AiI024696; Mon, 8 Sep 2014 13:00:10 -0400 (EDT)
Date: Mon, 08 Sep 2014 13:00:10 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Bill Mills <wmills_92105@yahoo.com>
In-Reply-To: <1409962498.54315.YahooMailNeo@web142804.mail.bf1.yahoo.com>
Message-ID: <alpine.GSO.1.10.1409081240310.21571@multics.mit.edu>
References: <52AE9A65.1010700@oracle.com> <53F53D1F.7010305@oracle.com> <alpine.GSO.1.10.1409042219260.21571@multics.mit.edu> <1409962498.54315.YahooMailNeo@web142804.mail.bf1.yahoo.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-1275471049-1410195610=:21571"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42IRYrdT1533gDfEYIGWxdHNq1gsvnVdZ3Zg 8liy5CeTx6xZh5kCmKK4bFJSczLLUov07RK4Mnpf72EuuKNe8XfZTJYGxoPyXYycHBICJhI7 fr9jhbDFJC7cW8/WxcjFISQwm0liV+NssISQwAZGiQf7OCHsg0wSm/dVQNj1EjsvPGMBsVkE tCR6Fj1hB7HZBFQkZr7ZCDSIg0NEQF2i+bs3SJgZyPx25g0jiC0sYCtxfF0b2HhOAU+Jwxfe MIOU8wo4SpzutYQ4YRejxN/jy8HGiwroSKzePwXM5hUQlDg58wkLSD2zQKDEkv/RExgFZyHJ zELIzAJbrCvxZtVBJghbW+L+zTa2BYwsqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3QN9XIzS/RS U0o3MYLCmVOSZwfjm4NKhxgFOBiVeHg5LvOECLEmlhVX5h5ilORgUhLl/XCHN0SILyk/pTIj sTgjvqg0J7X4EKMEB7OSCO/Ty0A53pTEyqrUonyYlDQHi5I471trq2AhgfTEktTs1NSC1CKY rAwHh5IEb9t9oEbBotT01Iq0zJwShDQTByfIcB6g4RNBaniLCxJzizPTIfKnGHU51nV+62cS YsnLz0uVEuddeQ+oSACkKKM0D24OLA29YhQHekuYNxZkFA8whcFNegW0hAloyaRgsCUliQgp qQbGreH+wj/5TrIYMcoufjBRa5X4/M59v9XutO3WsuMNDD606L1dnO3hwClvdin/4rjyJPxA 9umupCP7n7h8eiQ56euL3vL2i95VF4oORb7lUXXvWOo7a5PGTzfPW2WP9hokBy+xzMuKar2g 97T8U7vtLoNpZYxfZzycYry9cpPXsRlva3Y1rEraq8RSnJFoqMVcVJwIAMowpt8eAwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/xqiGX6jvzuT3P3BaO_GnAFv5D8o
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-sasl-oauth-15
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 17:00:17 -0000

On Fri, 5 Sep 2014, Bill Mills wrote:

> On Friday, September 5, 2014 10:05 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
>
> I see that the notation "%x01" is used throughout to indicate the octet
> with value 0x01, and this is used without comment in RFC 7159 (the JSON
> spec).  I guess this is standard in ABNF-land, but section 2 doesn't
> mention that we assume familiarity with such terminology.
>
> ***
> [bill] that's actually HTTP (URI?) entity encoding.
> ***

So we think that familiarity with RFC 6749 (OAuth 2.0) implies an
understanding of this usage?  If so, that's fine by me.


> In section 6, the example is given of "when SASL is used in the context of
> IMAP the resource server may assert the resource owner's email address to
> the IMAP server for usage in an email-based application.".  But isn't the
> IMAP server the resource server here?  Maybe it is the authorization
> server which is making this assertion?
>
> ***
> [bill]  it's the client asserting the email address, this now reads "in the
> context of IMAP the client may assert the resource owner's email address".
> ***

Okay, thanks.

> Also in 3.1, the sentence mandating that the server MUST fail requests
> that do not have host and port values but use keyed message digests could
> be made more clear.  I'm uncertain which sort of requests do require keyed
> message digests, so I don't really have any suggestions.
>
> ***
> [bill]  Changed to: "For OAuth token types such as OAuth 1.0a that use keyed
> message digests"
> ***

That helps some.  I think it was the text which is normative for the
server's actions that left me unsatisfied, though.  Seeing this now, I
suggest "server MUST fail an authorization request requiring keyed message
digests that is not accompanied by host and port values" (so, changing
from "do not have" to "is not accompanied by").  This does slightly change
the assumption of what blob of data is an "authorization request", i.e.,
is it the client response, or the value corresponding to the auth key.  If
it's the former, then my suggestion is probably not correct.

> In 3.2.1, I would be more comfortable if the second paragraph gave me some
> reason to think that doing so is possible.  Is there prior art, or some
> other specification for a similar thing that gives an example?  We don't
> need to enumerate every way it could be done, but it seems useful to give
> an indication that this is not going to end up dropping a heraculean task
> on the developer.
>
> ***
> [bill]  OAuth 1.0a tokens may well (and commonly have in some implementations)
> either carried or has access to the client identity.
>
> For the question of whether both identities can be communicated to the app, it
> would be a new capability you'd have to add to the SASL implementation you're
> using.  Not herculean, but not trivial if you're going to patch something like
> Cyrus SASL and keep it in sync with current releases.
> ***

So, an extension to the SASL library's API?  I'm not immediately coming up
with a good way to include that in the text, so maybe we can leave it
as-is.

> Editorial minutiae:
>
> The first paragraph of page 4 has the sentence "The framework also
> provides a protocol for security subsequent protocol exchanges within a
> data security layer.", which uses the word 'protocol' twice with two
> different usages.  It is probably best to add a qualifier to at least one
> occurrence.
>
> ***
> [bill] IIRC this is lifted from the SASL spec itself.  That said, deleting the
> second usage seems to do the trick, " The framework also provides a protocol for
> securing subsequent exchanges within a data security layer."
> ***

Yup, that seems to work well.

> The end of section 1 notes that "In band discovery is not tenable if
> clients support the OAuth 2.0 password grant."  It would be nice to say
> something about why.
>
> ***
> [bill] Now there's a fun topic.  There are folks that assert that allowing in
> band discovery if the password grant is in play might lead to an effective
> phishing attack.  Other's disagree.  No one hated the current language.  I'm
> really tempted to leave it alone.
> ***

Okay.  I don't want to go from uncontroversial text to controversial text.

> In section 3.1, replace "or may be empty" with "which may be empty".
>
> ***
> [bill]  no, because the empty client response containing only the 0x01 has no GS2
> header, now reads, "header followed by zero or more key/value pairs, or may be
> empty."
> ***

Ah, I see now.  Sorry for the confusion.

-Ben