IETF Logo Mail Archive

Re: [secdir] review of draft-ietf-kitten-sasl-openid-06

Simon Josefsson <simon@josefsson.org> Thu, 03 November 2011 11:21 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C38311E8088 for <secdir@ietfa.amsl.com>; Thu, 3 Nov 2011 04:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.266
X-Spam-Level:
X-Spam-Status: No, score=-103.266 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd6uENObP9iV for <secdir@ietfa.amsl.com>; Thu, 3 Nov 2011 04:21:19 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by ietfa.amsl.com (Postfix) with ESMTP id 3872211E8080 for <secdir@ietf.org>; Thu, 3 Nov 2011 04:21:19 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id pA3BKPf7015732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 3 Nov 2011 12:20:27 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Stephen Kent <kent@bbn.com>
References: <p06240801cad599b16640@[128.89.89.129]> <871utr53i6.fsf@latte.josefsson.org> <16815_1320162240_pA1FhxC9012735_p06240806cad5c0c575be@[193.0.26.186]> <1320253292.28149.753.camel@destiny.pc.cs.cmu.edu> <p06240800cad7fe0fd019@[193.0.26.186]>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:111103:hmauldin@cisco.com::kRU4OLpnhtIsaXma:Z2s
X-Hashcash: 1:22:111103:jhutz@cmu.edu::PTWjiSEp5sBxPfVt:0maf
X-Hashcash: 1:22:111103:kent@bbn.com::FhvgO83ncWWCqN3n:2at3
X-Hashcash: 1:22:111103:lear@cisco.com::ccU/PjzKx3o+0COe:7MEI
X-Hashcash: 1:22:111103:secdir@ietf.org::9LL5O+0/DxZMkq5n:Wjrq
Date: Thu, 03 Nov 2011 12:20:25 +0100
In-Reply-To: <p06240800cad7fe0fd019@[193.0.26.186]> (Stephen Kent's message of "Thu\, 3 Nov 2011 04\:16\:57 -0400")
Message-ID: <8762j1qwp2.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.2 at yxa-v
X-Virus-Status: Clean
Cc: hmauldin@cisco.com, secdir@ietf.org, lear@cisco.com, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [secdir] review of draft-ietf-kitten-sasl-openid-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 11:21:21 -0000

Stephen Kent <kent@bbn.com> writes:

> At 1:01 PM -0400 11/2/11, Jeffrey Hutzelman wrote:
>>On Tue, 2011-11-01 at 11:43 -0400, Stephen Kent wrote:
>>
>>>  > The situation is a bit more complicated than a simple MUST/MAY, but
>>>  > I
>>>  > believe everything is clear from the base SASL specification:
>>>  > https://tools.ietf.org/html/rfc4422#section-3.4.1
>>>  >
>>>  > Authorization identities are always optional, but mechanisms are
>>>  > required to be able to transfer them if they are used by the
>>>  > application.
>>>
>>>
>>>  That statement, if placed in the I-D, will resolve my question.
>>
>>
>>That statement is not within the scope of this I-D.  It's descriptive of
>>SASL itself, and is covered in the SASL base specification.  In
>>particular, the requirement is one placed on SASL mechanisms (such as
>>the present I-D) by SASL itself.
>>
>>Implementation of this mechanism requires an understanding of the SASL
>>base specification (unless one is implementing only the underlying
>>GSS-API mechanism, in which case the section in question is not relevant
>>at all).  I don't think it's necessary for every SASL mechanism to
>>restate all of SASL's requirements, and it may even be harmful, because
>>then it looks like you're trying to say something _different_ than what
>>the SASL spec says.
>>
>>Do you really think any SASL implementor is going to be confused by
>>this?
>
> Since I am not a SASL implementer, I can't say. I can say that as a
> reasonably intelligent reader, I found the wording ambiguous. I am
> opposed to ambiguous statement in RFCs :-).

Perhaps the solution is to remove text rather than add more?

I share Jeff's concern that adding text here may give the impression
that it implies something different than what a SASL implementer would
expect to follow automatically from the normative references.

How about removing this sentence:

       The GS2 header carries the optional authorization identity.

from section 3.1 and modify the other paragraph in section 3.1 into

   The syntax and semantics of the "gs2-header" is specified in
   [RFC5801], and we use it here with the following limitations.  The
   "gs2-nonstd-flag" MUST NOT be present.  The "gs2-cb- flag" MUST be
   "n" because channel binding is not supported by this mechanism.

The document is already clear elsewhere that the mechanism supports the
concept of authorization identities (see beginning of section 3).

The syntax and semantics of the authorization identity field is covered
normatively by the base SASL specification and the GS2 document.

/Simon

v2.23.0 | Report a Bug | By Email