IETF Logo Mail Archive

Re: [secdir] review of draft-ietf-kitten-sasl-openid-06

Jeffrey Hutzelman <jhutz@cmu.edu> Wed, 02 November 2011 17:01 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D099811E8109 for <secdir@ietfa.amsl.com>; Wed, 2 Nov 2011 10:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VeCAPRwX6Dec for <secdir@ietfa.amsl.com>; Wed, 2 Nov 2011 10:01:46 -0700 (PDT)
Received: from smtp01.srv.cs.cmu.edu (SMTP01.SRV.CS.CMU.EDU [128.2.217.196]) by ietfa.amsl.com (Postfix) with ESMTP id 1ABE611E80F8 for <secdir@ietf.org>; Wed, 2 Nov 2011 10:01:46 -0700 (PDT)
Received: from [192.168.202.155] (pool-74-109-253-27.pitbpa.fios.verizon.net [74.109.253.27]) (authenticated bits=0) by smtp01.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id pA2H1XwW023879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Nov 2011 13:01:34 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Stephen Kent <kent@bbn.com>
In-Reply-To: <16815_1320162240_pA1FhxC9012735_p06240806cad5c0c575be@[193.0.26.186]>
References: <p06240801cad599b16640@[128.89.89.129]> <871utr53i6.fsf@latte.josefsson.org> <16815_1320162240_pA1FhxC9012735_p06240806cad5c0c575be@[193.0.26.186]>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 02 Nov 2011 13:01:32 -0400
Message-ID: <1320253292.28149.753.camel@destiny.pc.cs.cmu.edu>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.196
Cc: hmauldin@cisco.com, Simon Josefsson <simon@josefsson.org>, secdir@ietf.org, lear@cisco.com, jhutz@cmu.edu
Subject: Re: [secdir] review of draft-ietf-kitten-sasl-openid-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 17:01:46 -0000

On Tue, 2011-11-01 at 11:43 -0400, Stephen Kent wrote:

> > The situation is a bit more complicated than a simple MUST/MAY, but
> > I
> > believe everything is clear from the base SASL specification:
> > https://tools.ietf.org/html/rfc4422#section-3.4.1
> > 
> > Authorization identities are always optional, but mechanisms are
> > required to be able to transfer them if they are used by the
> > application.
> 
> 
> That statement, if placed in the I-D, will resolve my question.


That statement is not within the scope of this I-D.  It's descriptive of
SASL itself, and is covered in the SASL base specification.  In
particular, the requirement is one placed on SASL mechanisms (such as
the present I-D) by SASL itself.

Implementation of this mechanism requires an understanding of the SASL
base specification (unless one is implementing only the underlying
GSS-API mechanism, in which case the section in question is not relevant
at all).  I don't think it's necessary for every SASL mechanism to
restate all of SASL's requirements, and it may even be harmful, because
then it looks like you're trying to say something _different_ than what
the SASL spec says.

Do you really think any SASL implementor is going to be confused by
this?

v2.23.0 | Report a Bug | By Email