From luca.frosini@isti.cnr.it Fri Feb 10 01:15:27 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD8C121F869A for ; Fri, 10 Feb 2012 01:15:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.61 X-Spam-Level: X-Spam-Status: No, score=-0.61 tagged_above=-999 required=5 tests=[AWL=1.109, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiyeHRpmO9eh for ; Fri, 10 Feb 2012 01:15:27 -0800 (PST) Received: from blade3.isti.cnr.it (blade3.isti.cnr.it [194.119.192.19]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6D021F863F for ; Fri, 10 Feb 2012 01:15:27 -0800 (PST) Received: from [146.48.87.201] by mx.isti.cnr.it (PMDF V6.6 #31988) with ESMTPSA id <01OBTLAS68I0J6IFQ9@mx.isti.cnr.it> for kitten@ietf.org; Fri, 10 Feb 2012 10:14:43 +0100 (MET) Date: Fri, 10 Feb 2012 10:14:43 +0100 From: Luca Frosini To: kitten@ietf.org Message-id: <4F34E003.8080709@isti.cnr.it> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0 X-INSM-ip-source: 146.48.87.201 Auth Done Subject: [kitten] SASL + (Oauth, SAML, OpenID) email client X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 09:15:27 -0000 Anybody knows if there is an email client that already implements the draft version of one of SASL + (Oauth, SAML, OpenID) or a plugin for one of these? Thanks in advance Luca From wmills@yahoo-inc.com Fri Feb 10 01:39:01 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB11B21F86A0 for ; Fri, 10 Feb 2012 01:39:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.929 X-Spam-Level: X-Spam-Status: No, score=-15.929 tagged_above=-999 required=5 tests=[AWL=-0.931, BAYES_50=0.001, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WY1g9yhNe5B for ; Fri, 10 Feb 2012 01:39:01 -0800 (PST) Received: from nm15-vm2.bullet.mail.ne1.yahoo.com (nm15-vm2.bullet.mail.ne1.yahoo.com [98.138.91.91]) by ietfa.amsl.com (Postfix) with SMTP id BDC9521F8699 for ; Fri, 10 Feb 2012 01:38:55 -0800 (PST) Received: from [98.138.90.52] by nm15.bullet.mail.ne1.yahoo.com with NNFMP; 10 Feb 2012 09:38:50 -0000 Received: from [98.138.89.244] by tm5.bullet.mail.ne1.yahoo.com with NNFMP; 10 Feb 2012 09:38:50 -0000 Received: from [127.0.0.1] by omp1058.mail.ne1.yahoo.com with NNFMP; 10 Feb 2012 09:38:50 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 29923.66992.bm@omp1058.mail.ne1.yahoo.com Received: (qmail 72782 invoked by uid 60001); 10 Feb 2012 09:38:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1328866729; bh=cvYWrNEldvVvUohwi14QImpSpzAWzM/fng8Ek6JXyyw=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=f8dA7McnqXPR5eXpqMvtcXZdd7ZQa5q+vKYIUSrFvl5mNfinourISGFsdI1yTX19q1bL64gmEbaVSAQ5yAJEOmtW213WchBkzlR0WS2txFsPfXK4JOcjPo+7HUyvRjDszVki/4QEXQ8YUr/aFUtU4cL3KO/zDPb0OrSBvgAmtvo= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=TlZCImCnnIiCxPQkcfDQXX2Uftk5ZvxoZeHV8FA9vuyz0DE/ROAPGnZBr4OHOEfZbXlrWpeaeevr+HgXfHL/TgT/THJ0ZVy0jDHYVHfD3koYi5b4KVCykUTxh4lpih24QVLijueO+6F0frcZCch5C8gM6DjhDvPbDLRkskPhAFw=; X-YMail-OSG: XL023hsVM1nGCxIuzcZ5F3ulL4KZ67gLhDzppnxxY3IGlTX frPmqH.GT.BJk6B50pinQme61BgfY33WaNP28qSZuLsMXYgL3pN7nfLqEO0L 81cNIEIlC_bAnBck3hVYw3m7dQhA5SsKFnSLWEhXt1iv8Vka_XFWluqePY0R Kz4rh6OdPyWJ2AaFrq8RHi3Cz6a3WrMvCtp98potjOg0cTEIjlXHweU_jWNY OqMvg.z56JBbVeKbB.YeLEuxoYD9fXojOPaGTJeMat4aZ8pozlg6m3dS2mY8 vuFxq6ESNJYQNjGTRFTqX0Dqg4vQSKCWbkKUASDhlrM.GnVsKA3plxcR5lfG uF442tUYULWYqxe8SoboQJOyfXCiR8XNBUDkIvv45G823HixJZ0KkPSb2oU0 K0IkiMNGZbVKGEii9IYoUirdMYytwl1GNCakBXziUkl3SVls08ZPMtxHBc0H rrzzwnSrk1qgMpYijXN2fyBbpAUr9DguopYGP_84BEtPSw_iDhBnApteaXUb WfVzEGjoJIA8r Received: from [209.131.62.115] by web31805.mail.mud.yahoo.com via HTTP; Fri, 10 Feb 2012 01:38:49 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.117.340031 References: <4F34E003.8080709@isti.cnr.it> Message-ID: <1328866729.18660.YahooMailNeo@web31805.mail.mud.yahoo.com> Date: Fri, 10 Feb 2012 01:38:49 -0800 (PST) From: William Mills To: Luca Frosini , "kitten@ietf.org" In-Reply-To: <4F34E003.8080709@isti.cnr.it> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-551393103-1194032779-1328866729=:18660" Subject: Re: [kitten] SASL + (Oauth, SAML, OpenID) email client X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 09:39:02 -0000 ---551393103-1194032779-1328866729=:18660 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable There is a very very rough and as yet incomplete Cyrus SASL plugin for OAut= h.=A0 I've been working on it but lacked an actual auth server and RP imple= mentation to integrate against.=A0=A0 So...=A0 The thing that works is the = framework with a=A0 dummy PHP auth server and a stub authenticator library.= =0A=0AThe link is https://github.com/sweetums/SASL-OAuth and there's been a= bit of work since that point but I did not have it working enough locally = to do another code drop.=0A=0A=0ASo if you want real reusable working code = ready for prime time, this ain't it yet.=A0 If you want to get you hands in= the code and help finish it I'm more than happy to have help (and it would= incidentally force me to make time to work on it).=0A=0A=0AThere is also a= serious question outstanding as to whether the SASL message payload format= in the draft standard will change from HTTP to JSON.=A0 That would be a hu= ge change in some ways, but since that plugin already needs JSON for OAuth = 2 errors and such there's no big new packages to pull in.=0A=0A=0A-bill=0A= =0A=0A=0A________________________________=0A From: Luca Frosini =0ATo: kitten@ietf.org =0ASent: Friday, February 10, 2012 1:= 14 AM=0ASubject: [kitten] SASL + (Oauth, SAML, OpenID) email client=0A =0AA= nybody knows if there is an email client that already implements the draft = version of one of SASL + (Oauth, SAML, OpenID) or a plugin for one of these= ?=0A=0AThanks in advance=0A=0ALuca=0A=0A___________________________________= ____________=0AKitten mailing list=0AKitten@ietf.org=0Ahttps://www.ietf.org= /mailman/listinfo/kitten ---551393103-1194032779-1328866729=:18660 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
There is a very very rough and as yet incomplete Cyrus SASL plugin for OA= uth.  I've been working on it but lacked an actual auth server and RP = implementation to integrate against.   So...  The thing that= works is the framework with a  dummy PHP auth server and a stub authe= nticator library.

The link is https://githu= b.com/sweetums/SASL-OAuth and there's been a bit of work since that point b= ut I did not have it working enough locally to do another code drop.

So if you want real reusable work= ing code ready for prime time, this ain't it yet.  If you want to get = you hands in the code and help finish it I'm more than happy to have help (= and it would incidentally force me to make time to work on it).

There is also = a serious question outstanding as to whether the SASL message payload forma= t in the draft standard will change from HTTP to JSON.  That would be = a huge change in some ways, but since that plugin already needs JSON for OA= uth 2 errors and such there's no big new packages to pull in.

-bill

Fro= m: Luca Frosini <luca.frosini@isti.cnr.it>
To: kitten@ietf.org
Sent: Friday, February 10, 2012 1:14 A= M
Subject: [kitten] SASL + = (Oauth, SAML, OpenID) email client

=0AAnybody knows = if there is an email client that already implements the draft version of on= e of SASL + (Oauth, SAML, OpenID) or a plugin for one of these?

Than= ks in advance

Luca

__________________________________________= _____
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mai= lman/listinfo/kitten


---551393103-1194032779-1328866729=:18660-- From luca.frosini@isti.cnr.it Fri Feb 10 02:00:49 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B9E421F8758 for ; Fri, 10 Feb 2012 02:00:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.679 X-Spam-Level: X-Spam-Status: No, score=-0.679 tagged_above=-999 required=5 tests=[AWL=0.440, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmbsgiqlrOhE for ; Fri, 10 Feb 2012 02:00:48 -0800 (PST) Received: from blade3.isti.cnr.it (blade3.isti.cnr.it [194.119.192.19]) by ietfa.amsl.com (Postfix) with ESMTP id 44A6121F8757 for ; Fri, 10 Feb 2012 02:00:48 -0800 (PST) Received: from [146.48.87.201] by mx.isti.cnr.it (PMDF V6.6 #31988) with ESMTPSA id <01OBTMW3U8D8J6IFQ9@mx.isti.cnr.it> for kitten@ietf.org; Fri, 10 Feb 2012 11:00:09 +0100 (MET) Date: Fri, 10 Feb 2012 11:00:09 +0100 From: Luca Frosini In-reply-to: <1328866729.18660.YahooMailNeo@web31805.mail.mud.yahoo.com> To: William Mills Message-id: <4F34EAA9.4030608@isti.cnr.it> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0 X-INSM-ip-source: 146.48.87.201 Auth Done References: <4F34E003.8080709@isti.cnr.it> <1328866729.18660.YahooMailNeo@web31805.mail.mud.yahoo.com> Cc: "kitten@ietf.org" Subject: Re: [kitten] SASL + (Oauth, SAML, OpenID) email client X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 10:00:49 -0000 Hi William, thanks for your answer. My needs is to investigate such technologies with our smtp, pop, imap server. I found your project in github and I already evaluated to try to integrate it with some webmail like roundcube for my test, in this case I'll be happy to contribute. Thanks for proposing it. Luca On 10/02/2012 10:38, William Mills wrote: > There is a very very rough and as yet incomplete Cyrus SASL plugin for > OAuth. I've been working on it but lacked an actual auth server and > RP implementation to integrate against. So... The thing that works > is the framework with a dummy PHP auth server and a stub > authenticator library. > > The link is https://github.com/sweetums/SASL-OAuth and there's been a > bit of work since that point but I did not have it working enough > locally to do another code drop. > > So if you want real reusable working code ready for prime time, this > ain't it yet. If you want to get you hands in the code and help > finish it I'm more than happy to have help (and it would incidentally > force me to make time to work on it). > > There is also a serious question outstanding as to whether the SASL > message payload format in the draft standard will change from HTTP to > JSON. That would be a huge change in some ways, but since that plugin > already needs JSON for OAuth 2 errors and such there's no big new > packages to pull in. > > -bill > > ------------------------------------------------------------------------ > *From:* Luca Frosini > *To:* kitten@ietf.org > *Sent:* Friday, February 10, 2012 1:14 AM > *Subject:* [kitten] SASL + (Oauth, SAML, OpenID) email client > > Anybody knows if there is an email client that already implements the > draft version of one of SASL + (Oauth, SAML, OpenID) or a plugin for > one of these? > > Thanks in advance > > Luca > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > > -- Ing. Luca Frosini Istituto di Scienza e Tecnologie dell'Informazione "A. Faedo" (ISTI) Italian National Research Council (CNR) G. Moruzzi, 1 - 56124 Pisa, Italy Area della Ricerca CNR di Pisa Mob: (+39) 339 7697029 Web-site: http://www.lucafrosini.com Skype: luca.frosini From wmills@yahoo-inc.com Fri Feb 10 13:06:29 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED0EC21F8872 for ; Fri, 10 Feb 2012 13:06:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.898 X-Spam-Level: X-Spam-Status: No, score=-15.898 tagged_above=-999 required=5 tests=[AWL=-0.900, BAYES_50=0.001, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8LHrBG1P3dc for ; Fri, 10 Feb 2012 13:06:29 -0800 (PST) Received: from nm17.bullet.mail.bf1.yahoo.com (nm17.bullet.mail.bf1.yahoo.com [98.139.212.176]) by ietfa.amsl.com (Postfix) with SMTP id 2A86021F8871 for ; Fri, 10 Feb 2012 13:06:28 -0800 (PST) Received: from [98.139.212.146] by nm17.bullet.mail.bf1.yahoo.com with NNFMP; 10 Feb 2012 21:06:28 -0000 Received: from [98.139.212.206] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 10 Feb 2012 21:06:28 -0000 Received: from [127.0.0.1] by omp1015.mail.bf1.yahoo.com with NNFMP; 10 Feb 2012 21:06:28 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 518587.90728.bm@omp1015.mail.bf1.yahoo.com Received: (qmail 56325 invoked by uid 60001); 10 Feb 2012 21:05:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1328907957; bh=ltsKj5BudcSnCdP9jdfad2faiOV2omoEoLzDYvshSaI=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=JtxSzpsKx/FMsVgZ5+ewV/PR5oY3bj65zy/ZiMvcg9UAFO5owhnsnu3X3s/dAdH+V8OntEH94WOrZn2jznOx8CzaXrSql+VNKhBcthH8ovNNHRZCmr8Yk64JMxb0AVeulxUAf+RmJcHI3z6zgxO9fESIVb4MvvjlkWT5joQA2Yg= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=PCOReIWaQyhxlHwix2+SBx/prhmJjqGGWMyr02OvO3d2yFQHNtYwjJqhmNIUoz6mDoHWycJztNlOi7mi+03IOrI0xqtZ9vs9fJ8TuEMHW07CTCUPZyQdEBn/I0RjKzjUqhDwS9CxA7PG1bn7oNlnTY34lxYt3TyfUj6dhSVy6PU=; X-YMail-OSG: xeUUtKIVM1mhkhWl_9n9pBtzTuObKchUQZ3BZB6oQFkaa8Y SMWvBT3dPwKgBtD.IQFeXZZSZU1So.OlRX2xcXX6P5rvlYzffTI4fh_Vgd_q Ezl7bTj9BcyohbbEvqWbjJTyHYArdVGq9NP05t1KAPdc22HRvq4bVfaLMfmp mv63fafBFL9ERp3LbPpFWASttUxYeZ5oY6EfULRuuH_qRcBTOJI6m4aW7a6w 32Ylje1TN0nt6h5Visknp2KNh2WL0Ar5tl_zu09wV08m8ELoABV9QcDYlKwu OGIfN4pxz95liaVd7Zq4Nuchn_UxEuseOk.nBc6oVoWdbyzKZjODOrLZw8f_ yDLlNuZFYiTeiBgPDmcqjdHa5ejZqzw80._VAmuRJ8Aqru2UU4ZAlERCa4xa FYnNeyNhbRiYOtcq7VVs.cn08K6HrI8ZV_8sajV21nJRQuw-- Received: from [209.131.62.115] by web31801.mail.mud.yahoo.com via HTTP; Fri, 10 Feb 2012 13:05:57 PST X-RocketYMMF: william_john_mills X-Mailer: YahooMailWebService/0.8.117.340031 References: <999913AB42CC9341B05A99BBF358718DE38797@FIESEXC035.nsn-intra.net> <4F04E442.4000702@yahoo-inc.com> <8762gqev30.fsf@windlord.stanford.edu> <4F06183B.4010401@yahoo-inc.com> <1325808084.1216.YahooMailNeo@web31812.mail.mud.yahoo.com> <1327389000.74641.YahooMailNeo@web31807.mail.mud.yahoo.com> Message-ID: <1328907957.48060.YahooMailNeo@web31801.mail.mud.yahoo.com> Date: Fri, 10 Feb 2012 13:05:57 -0800 (PST) From: William Mills To: "kitten@ietf.org" In-Reply-To: <1327389000.74641.YahooMailNeo@web31807.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-368338466-654578982-1328907957=:48060" Subject: [kitten] newbie question... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: William Mills List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 21:06:30 -0000 ---368338466-654578982-1328907957=:48060 Content-Type: text/plain; charset=us-ascii Is there any cost/conference fee for IETF meetings? Thanks, -bill ---368338466-654578982-1328907957=:48060 Content-Type: text/html; charset=us-ascii
Is there any cost/conference fee for IETF meetings?

Thanks,

-bill
---368338466-654578982-1328907957=:48060-- From nico@cryptonector.com Fri Feb 10 13:09:33 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDF5921F8882 for ; Fri, 10 Feb 2012 13:09:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.869 X-Spam-Level: X-Spam-Status: No, score=-1.869 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4NA5i2uCfKk for ; Fri, 10 Feb 2012 13:09:33 -0800 (PST) Received: from homiemail-a97.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 4EEDA21F8881 for ; Fri, 10 Feb 2012 13:09:33 -0800 (PST) Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id CF4F128607E for ; Fri, 10 Feb 2012 13:09:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=o8V/XJCl1pqtzNByCIC0Z YeWIDIoHFCyivIJQL+J2rma1YSJ5Ynpk2CNWWmmsxvAATO/c6mCqtZeKPEzMeDh4 6Fd5nUi4+4Vo9WfFP5diieO8w3QTXte3ws+kENpz0vPE+eGN3mNCPp5xjhAI6bd2 n+Gx5AGTUi1MDR7/8nZrgo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=V0z2qvGpP4q9b2WJqu1X DQYG0nA=; b=vp3iZ0YRhKO7ZRgKHGTgGDUrPuun03CVyhCtSf2AIAncTWtO39eF AIwmjZ2B1XTefFB+gu5jpWXjfL0BW2j+S5D1kwsY4IGVMr0PWLsoZ6b5BVqonvg/ vOj8YYry8/tieb0AiROh+ypSfyiaLY5lUkVPuqhBCMiXCQPdZvF4PRY= Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPSA id B29D828607D for ; Fri, 10 Feb 2012 13:09:32 -0800 (PST) Received: by dakl33 with SMTP id l33so2815678dak.31 for ; Fri, 10 Feb 2012 13:09:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.208.196 with SMTP id mg4mr19497640pbc.108.1328908172346; Fri, 10 Feb 2012 13:09:32 -0800 (PST) Received: by 10.68.136.4 with HTTP; Fri, 10 Feb 2012 13:09:32 -0800 (PST) In-Reply-To: <1328907957.48060.YahooMailNeo@web31801.mail.mud.yahoo.com> References: <999913AB42CC9341B05A99BBF358718DE38797@FIESEXC035.nsn-intra.net> <4F04E442.4000702@yahoo-inc.com> <8762gqev30.fsf@windlord.stanford.edu> <4F06183B.4010401@yahoo-inc.com> <1325808084.1216.YahooMailNeo@web31812.mail.mud.yahoo.com> <1327389000.74641.YahooMailNeo@web31807.mail.mud.yahoo.com> <1328907957.48060.YahooMailNeo@web31801.mail.mud.yahoo.com> Date: Fri, 10 Feb 2012 15:09:32 -0600 Message-ID: From: Nico Williams To: William Mills Content-Type: text/plain; charset=UTF-8 Cc: "kitten@ietf.org" Subject: Re: [kitten] newbie question... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 21:09:34 -0000 On Fri, Feb 10, 2012 at 3:05 PM, William Mills wrote: > Is there any cost/conference fee for IETF meetings? For the actual conference, yes. For participation on the mailing lists, or via webex, no. Nico -- From luca.frosini@isti.cnr.it Fri Feb 10 13:29:16 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2765B21F8725 for ; Fri, 10 Feb 2012 13:29:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.119 X-Spam-Level: X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDyXRorHUOQe for ; Fri, 10 Feb 2012 13:29:15 -0800 (PST) Received: from blade3.isti.cnr.it (blade3.isti.cnr.it [194.119.192.19]) by ietfa.amsl.com (Postfix) with ESMTP id EE40B21F8721 for ; Fri, 10 Feb 2012 13:28:57 -0800 (PST) Received: from [192.168.0.3] ([87.10.132.196]) by mx.isti.cnr.it (PMDF V6.6 #31988) with ESMTPSA id <01OBUAWT8LIIJCPPEH@mx.isti.cnr.it> for kitten@ietf.org; Fri, 10 Feb 2012 22:27:55 +0100 (MET) Date: Fri, 10 Feb 2012 22:27:54 +0100 From: Luca Frosini In-reply-to: To: kitten@ietf.org, wmills@yahoo-inc.com Message-id: <4F358BDA.8010503@isti.cnr.it> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120129 Thunderbird/10.0 X-INSM-ip-source: 87.10.132.196 Auth Done References: <999913AB42CC9341B05A99BBF358718DE38797@FIESEXC035.nsn-intra.net> <4F04E442.4000702@yahoo-inc.com> <8762gqev30.fsf@windlord.stanford.edu> <4F06183B.4010401@yahoo-inc.com> <1325808084.1216.YahooMailNeo@web31812.mail.mud.yahoo.com> <1327389000.74641.YahooMailNeo@web31807.mail.mud.yahoo.com> <1328907957.48060.YahooMailNeo@web31801.mail.mud.yahoo.com> Subject: Re: [kitten] newbie question... X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2012 21:29:16 -0000 You can find the cost to partecipate to the next IETF meeting in Paris here: https://www.ietf.org/registration/ietf83/ietfreg.py Luca Il 10/02/2012 22:09, Nico Williams ha scritto: > On Fri, Feb 10, 2012 at 3:05 PM, William Mills wrote: >> Is there any cost/conference fee for IETF meetings? > For the actual conference, yes. For participation on the mailing > lists, or via webex, no. > > Nico > -- > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > -- Ing. Luca Frosini Istituto di Scienza e Tecnologie dell'Informazione "A. Faedo" (ISTI) Italian National Research Council (CNR) G. Moruzzi, 1 - 56124 Pisa, Italy Area della Ricerca CNR di Pisa Mob: (+39) 339 7697029 Web-site: http://www.lucafrosini.com Skype: luca.frosini From internet-drafts@ietf.org Mon Feb 20 00:54:49 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E02821F86E1; Mon, 20 Feb 2012 00:54:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.544 X-Spam-Level: X-Spam-Status: No, score=-102.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByYRBo+ATET2; Mon, 20 Feb 2012 00:54:48 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A7A21F8533; Mon, 20 Feb 2012 00:54:48 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.64p2 Message-ID: <20120220085448.6355.18843.idtracker@ietfa.amsl.com> Date: Mon, 20 Feb 2012 00:54:48 -0800 Cc: kitten@ietf.org Subject: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-09.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 08:54:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Common Authentication Technology Next= Generation Working Group of the IETF. Title : A SASL and GSS-API Mechanism for SAML Author(s) : Klaas Wierenga Eliot Lear Simon Josefsson Filename : draft-ietf-kitten-sasl-saml-09.txt Pages : 30 Date : 2012-02-20 Security Assertion Markup Language (SAML) has found its usage on the Internet for Web Single Sign-On. Simple Authentication and Security Layer (SASL) and the Generic Security Service Application Program Interface (GSS-API) are application frameworks to generalize authentication. This memo specifies a SASL mechanism and a GSS-API mechanism for SAML 2.0 that allows the integration of existing SAML Identity Providers with applications using SASL and GSS-API. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-kitten-sasl-saml-09.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-kitten-sasl-saml-09.txt From jbasney@illinois.edu Tue Feb 21 12:24:08 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1088321F8636 for ; Tue, 21 Feb 2012 12:24:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f41JNCQCIcgK for ; Tue, 21 Feb 2012 12:24:07 -0800 (PST) Received: from dscas1.ad.uiuc.edu (dscas1.ad.uiuc.edu [128.174.68.119]) by ietfa.amsl.com (Postfix) with ESMTP id C162021F8633 for ; Tue, 21 Feb 2012 12:24:07 -0800 (PST) Received: from bit.ncsa.uiuc.edu (141.142.220.216) by smtp-secure.illinois.edu (128.174.68.18) with Microsoft SMTP Server (TLS) id 8.3.159.2; Tue, 21 Feb 2012 14:24:07 -0600 Message-ID: <4F43FD66.6090401@illinois.edu> Date: Tue, 21 Feb 2012 14:24:06 -0600 From: Jim Basney User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: kitten@ietf.org X-Enigmail-Version: 1.3.5 OpenPGP: id=0A33BE15; url=http://www.ncsa.illinois.edu/~jbasney/pgp.asc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Subject: [kitten] comments/questions on draft-ietf-kitten-sasl-saml-ec-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 20:24:08 -0000 Hi, We're working on a GSS-API mechanism implementation according to draft-ietf-kitten-sasl-saml-ec-00, and so far the following comments/questions have come up: What should gss_accept_sec_context() return for src_name (initiator's identity)? Is there a particular SAML attribute value our GSS-API mechanism should be looking for to indicate the user's identity? What should gss_context_time() return? GSS_C_INDEFINITE? Or should we look in the SAML assertion for NotBefore/NotOnOrAfter times? The SAML ECP spec says that the “service provider MUST return an HTTP error status" on errors, but there's no HTTP between the GSS initiator and acceptor, and we assume errors are indicated by GSS status codes. A clarifying statement in draft-ietf-kitten-sasl-saml-ec that the "MUST return an HTTP error status" requirement doesn't apply to GSS-API would be helpful. If you agree, I'm willing to propose text. Section 5 says "applications MUST match the TLS server identity with the target name" which introduces a TLS requirement that I think is not intended. I suggest the following changes. In Section 1, change "existing security layers, such as Transport Layer Security (TLS)" to "existing security layers, such as Transport Layer Security (TLS) or Secure Shell (SSH)" just to give at least one TLS alternative example. Then in Section 5, update "The mutual authentication property..." paragraph as follows: "The mutual authentication property of this mechanism relies on successfully comparing the server identity from the existing security layer (TLS, SSH, etc.) with the negotiated target name. Since the existing security layer is managed by the application outside of the GSS-API mechanism, the mechanism itself is unable to confirm the name. For this reason, applications MUST match the server identity from the existing security layer with the target name. For TLS, this matching MUST be perfored as discussed in [RFC6125]. For SSH, this matching MUST be performed as discussed in [RFC4462]. Applications may rely on the GSS-API mechanism to perform this matching by passing the server identity as targ_name to GSS_Init_sec_context()." As you can probably guess from the above, our initial target application for this GSS-API mechanism is SSH (RFC 4462). Thanks, Jim From cantor.2@osu.edu Tue Feb 21 12:35:51 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8029121F87A9 for ; Tue, 21 Feb 2012 12:35:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4Dj9ojNsNxE for ; Tue, 21 Feb 2012 12:35:51 -0800 (PST) Received: from defang22.it.ohio-state.edu (defang22.it.ohio-state.edu [128.146.216.225]) by ietfa.amsl.com (Postfix) with ESMTP id CEA4D21F87AA for ; Tue, 21 Feb 2012 12:35:50 -0800 (PST) Received: from CIO-TNC-HT05.osuad.osu.edu (cio-tnc-ht05.osuad.osu.edu [164.107.81.168]) by defang22.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id q1LKZej3025940; Tue, 21 Feb 2012 15:35:49 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT05.osuad.osu.edu ([fe80::d0be:603:484c:5a2f%10]) with mapi id 14.01.0355.002; Tue, 21 Feb 2012 15:35:35 -0500 From: "Cantor, Scott" To: Jim Basney , "kitten@ietf.org" Thread-Topic: [kitten] comments/questions on draft-ietf-kitten-sasl-saml-ec-00 Thread-Index: AQHM8NbGpb8oxQ5baEquUTT71PNETJZHzw0A Date: Tue, 21 Feb 2012 20:35:34 +0000 Message-ID: In-Reply-To: <4F43FD66.6090401@illinois.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [128.146.160.26] Content-Type: text/plain; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.168; country=US; region=OH; city=Columbus; postalcode=43201; latitude=39.9930; longitude=-82.9985; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9930,-82.9985&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.225 Subject: Re: [kitten] comments/questions on draft-ietf-kitten-sasl-saml-ec-00 X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2012 20:35:51 -0000 On 2/21/12 3:24 PM, "Jim Basney" wrote: > >What should gss_accept_sec_context() return for src_name (initiator's >identity)? Is there a particular SAML attribute value our GSS-API >mechanism should be looking for to indicate the user's identity? I think the plan was to align this with other drafts in this territory, such as the other SAML draft, the EAP/ABFAB mech, etc. I don't know what the status of those drafts is with respect to this issue. I would say that in isolation, I would rather not overload the mechanism with responsibility for mapping SAML attributes to identity, and stick to either the NameID or a stand-in constant of some kind in the case that none is present. But what application compatibility considerations exist? I suspect this has something to do with discussions about mapping federated identity into local identity that I've seen go by. >What should gss_context_time() return? GSS_C_INDEFINITE? Or should we >look in the SAML assertion for NotBefore/NotOnOrAfter times? I think the appropriate thing would be to apply some local policy, capped by SessionNotOnOrAfter, to match the semantics used with HTTP scenarios. That could be made more explicit, but in general SAML leaves that up to the RP. >The SAML ECP spec says that the =B3service provider MUST return an HTTP >error status" on errors, but there's no HTTP between the GSS initiator >and acceptor, and we assume errors are indicated by GSS status >codes. A clarifying statement in draft-ietf-kitten-sasl-saml-ec that the >"MUST return an HTTP error status" requirement doesn't apply to GSS-API >would be helpful. If you agree, I'm willing to propose text. One of the challenges is expressing normative dependency on SAML ECP without actually normatively depending on the whole thing. I don't think I have language implying that dependency is total, but that may not be clear at this point. I agree that it's not intended, certainly. The intent was that the RFC would note exactly the sections and portions of the document that are normatively reused as they are referenced. >Section 5 says "applications MUST match the TLS server identity with the >target name" which introduces a TLS requirement that I think is not >intended. Barring disagreement from those with more experience, I would say your changes seem correct to me and I can put them in the queue for an updated draft. -- Scott From iesg-secretary@ietf.org Wed Feb 22 07:21:35 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A66821F87C0; Wed, 22 Feb 2012 07:21:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.507 X-Spam-Level: X-Spam-Status: No, score=-102.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrKl79WCM5Ma; Wed, 22 Feb 2012 07:21:28 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDFD21F87AD; Wed, 22 Feb 2012 07:21:23 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 3.64p2 Message-ID: <20120222152123.3069.72978.idtracker@ietfa.amsl.com> Date: Wed, 22 Feb 2012 07:21:23 -0800 Cc: kitten mailing list , kitten chair , RFC Editor Subject: [kitten] Protocol Action: 'A SASL and GSS-API Mechanism for SAML' to Proposed Standard (draft-ietf-kitten-sasl-saml-09.txt) X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2012 15:21:35 -0000 The IESG has approved the following document: - 'A SASL and GSS-API Mechanism for SAML' (draft-ietf-kitten-sasl-saml-09.txt) as a Proposed Standard This document is the product of the Common Authentication Technology Next Generation Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml/ Technical Summary This document describes a Simple Authentication and Security Layer (SASL) mechanism for the SAML 2.0 specification. Working Group Summary One controversial issue that may come up is in regards to another draft that the kitten WG has adopted; draft-ietf-sasl-saml-ec. The saml and saml-ec drafts both use SAML as an authentication function, but have different use cases. The SAML solution requires less changes to the various entities than does SAML-EC. SAML-EC requires that the SASL client change. For cases such as browsers, this may not be an option in some environments. SAML-EC also requires that the Identity Provider support its ECP profile. However, SAML-EC provides a more integrated user solution and will provide additional support for GSS-API per-message tokens. Document Quality This protocol has been implemented in GNU SASL 1.7.0 and a number of applications have utilized this version including SimpleSAMLPHP 1.6.2 with Jabberd server 2.2.11 and XMPPHP 0.1rc2-r77. Personnel The document shepherd is Shawn Emery The responsible AD is Stephen Farrell RFC Editor Note #1 In section 3.1 please delete a sentence as shown below: OLD Domain name is specified in [RFC1035]. A domain name is either a "traditional domain name" as described in [RFC1035] or an "internationalized domain name" as described in [RFC5890]. NEW A domain name is either a "traditional domain name" as described in [RFC1035] or an "internationalized domain name" as described in [RFC5890]. #2 In section 3.2 please make the following replacement: OLD Should the client support Internationalized Resource Identifiers (IRIs) [RFC3987] it MUST first convert the IRI to a URI before transmitting it to the server [RFC5890]. NEW Should the client support Internationalized Resource Identifiers (IRIs) [RFC3987] it MUST first map the IRI to a URI before transmitting it to the server, as defined in Section 3.1 of [RFC3987]. From internet-drafts@ietf.org Fri Feb 24 09:09:58 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C9B21F87C8; Fri, 24 Feb 2012 09:09:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.588 X-Spam-Level: X-Spam-Status: No, score=-102.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsrZ0ubDcWfb; Fri, 24 Feb 2012 09:09:53 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156AE21F87AA; Fri, 24 Feb 2012 09:09:53 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.64p2 Message-ID: <20120224170953.18686.83514.idtracker@ietfa.amsl.com> Date: Fri, 24 Feb 2012 09:09:53 -0800 Cc: kitten@ietf.org Subject: [kitten] I-D Action: draft-ietf-kitten-sasl-openid-08.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 17:09:58 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Common Authentication Technology Next= Generation Working Group of the IETF. Title : A SASL & GSS-API Mechanism for OpenID Author(s) : Eliot Lear Hannes Tschofenig Henry Mauldin Simon Josefsson Filename : draft-ietf-kitten-sasl-openid-08.txt Pages : 18 Date : 2012-02-24 OpenID has found its usage on the Internet for Web Single Sign-On. Simple Authentication and Security Layer (SASL) and the Generic Security Service Application Program Interface (GSS-API) are application frameworks to generalize authentication. This memo specifies a SASL and GSS-API mechanism for OpenID that allows the integration of existing OpenID Identity Providers with applications using SASL and GSS-API. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt From lear@cisco.com Fri Feb 24 09:13:02 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E0421F88D7; Fri, 24 Feb 2012 09:13:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.539 X-Spam-Level: X-Spam-Status: No, score=-110.539 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM2A1I7FNdW9; Fri, 24 Feb 2012 09:13:01 -0800 (PST) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 6D37F21F88D3; Fri, 24 Feb 2012 09:13:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=4783; q=dns/txt; s=iport; t=1330103580; x=1331313180; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=8P075xqjYIKz25bV4YgMTxXnThKLFywDiUhL7+esLVI=; b=UaXGktI4GwF4SnG3tntV3x0ylJvFr4Dnw3NHnAtGSnlaO6UvHph+oFoa LS3Ie8HZVqR9YU3MRCq3yneHw2Q8KATLfu+fK+gfeO3Q+5cv0Bjj8J6Yi 6o9U1P2MAQYfn8Qa3i0JK1LKf0o6luoLENt6Ds2UQUi7QS9VaMYPoBg3x 8=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFABLER0+Q/khR/2dsb2JhbAA7CYUorV+BB4FzAQEBBAEBAQ8BEEsKARALBBQJFgsCAgkDAgECARUwEwEFAgEBBRmHZAuaGgGMZZF5iXCDGwsKWggBDAqEYS8HCjMMBggSgiaBFgSVO5Jw X-IronPort-AV: E=Sophos;i="4.73,476,1325462400"; d="scan'208,217";a="67017413" Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-2.cisco.com with ESMTP; 24 Feb 2012 17:12:56 +0000 Received: from dhcp-10-55-81-158.cisco.com (dhcp-10-55-81-158.cisco.com [10.55.81.158]) by ams-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id q1OHCugg025625; Fri, 24 Feb 2012 17:12:56 GMT Message-ID: <4F47C518.2080909@cisco.com> Date: Fri, 24 Feb 2012 18:12:56 +0100 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: internet-drafts@ietf.org References: <20120224170953.18686.83514.idtracker@ietfa.amsl.com> In-Reply-To: <20120224170953.18686.83514.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.3.5 Content-Type: multipart/alternative; boundary="------------050902070201020209090507" Cc: kitten@ietf.org, i-d-announce@ietf.org Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-openid-08.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2012 17:13:02 -0000 This is a multi-part message in MIME format. --------------050902070201020209090507 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit This version resolves a number of issues raised by the IESG, including: * a discussion regarding = * stable references from the openid foundation * size of nonce * internationalization * and a few others. On 2/24/12 6:09 PM, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Common Authentication Technology Next Generation Working Group of the IETF. > > Title : A SASL & GSS-API Mechanism for OpenID > Author(s) : Eliot Lear > Hannes Tschofenig > Henry Mauldin > Simon Josefsson > Filename : draft-ietf-kitten-sasl-openid-08.txt > Pages : 18 > Date : 2012-02-24 > > OpenID has found its usage on the Internet for Web Single Sign-On. > Simple Authentication and Security Layer (SASL) and the Generic > Security Service Application Program Interface (GSS-API) are > application frameworks to generalize authentication. This memo > specifies a SASL and GSS-API mechanism for OpenID that allows the > integration of existing OpenID Identity Providers with applications > using SASL and GSS-API. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > --------------050902070201020209090507 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit This version resolves a number of issues raised by the IESG, including:
  • a discussion regarding =
  • stable references from the openid foundation
  • size of nonce
  • internationalization
  • and a few others.

On 2/24/12 6:09 PM, internet-drafts@ietf.org wrote: 
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Common Authentication Technology Next Generation Working Group of the IETF.

	Title           : A SASL & GSS-API Mechanism for OpenID
	Author(s)       : Eliot Lear
                          Hannes Tschofenig
                          Henry Mauldin
                          Simon Josefsson
	Filename        : draft-ietf-kitten-sasl-openid-08.txt
	Pages           : 18
	Date            : 2012-02-24

   OpenID has found its usage on the Internet for Web Single Sign-On.
   Simple Authentication and Security Layer (SASL) and the Generic
   Security Service Application Program Interface (GSS-API) are
   application frameworks to generalize authentication.  This memo
   specifies a SASL and GSS-API mechanism for OpenID that allows the
   integration of existing OpenID Identity Providers with applications
   using SASL and GSS-API.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-kitten-sasl-openid-08.txt

_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten
--------------050902070201020209090507-- From internet-drafts@ietf.org Tue Feb 28 08:58:14 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891B321F86A4; Tue, 28 Feb 2012 08:58:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.552 X-Spam-Level: X-Spam-Status: No, score=-102.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OpOe3D-hsKW; Tue, 28 Feb 2012 08:58:14 -0800 (PST) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA3F21F842B; Tue, 28 Feb 2012 08:58:14 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.00 Message-ID: <20120228165814.5974.31976.idtracker@ietfa.amsl.com> Date: Tue, 28 Feb 2012 08:58:14 -0800 Cc: kitten@ietf.org Subject: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 16:58:14 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Common Authentication Technology Next= Generation Working Group of the IETF. Title : SAML Enhanced Client SASL and GSS-API Mechanisms Author(s) : Scott Cantor Simon Josefsson Filename : draft-ietf-kitten-sasl-saml-ec-01.txt Pages : 27 Date : 2012-02-28 Security Assertion Markup Language (SAML) 2.0 is a generalized framework for the exchange of security-related information between asserting and relying parties. Simple Authentication and Security Layer (SASL) and the Generic Security Service Application Program Interface (GSS-API) are application frameworks to facilitate an extensible authentication model. This document specifies a SASL and GSS-API mechanism for SAML 2.0 that leverages the capabilities of a SAML-aware "enhanced client" to address significant barriers to federated authentication in a manner that encourages reuse of existing SAML bindings and profiles designed for non-browser scenarios. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-kitten-sasl-saml-ec-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-kitten-sasl-saml-ec-01.txt From jbasney@illinois.edu Tue Feb 28 14:41:59 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D7121E802D for ; Tue, 28 Feb 2012 14:41:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhL1F+ROGoDJ for ; Tue, 28 Feb 2012 14:41:59 -0800 (PST) Received: from dscas1.ad.uiuc.edu (dscas1.ad.uiuc.edu [128.174.68.119]) by ietfa.amsl.com (Postfix) with ESMTP id 11BA421E8018 for ; Tue, 28 Feb 2012 14:41:58 -0800 (PST) Received: from bit.ncsa.uiuc.edu (141.142.220.216) by smtp-secure.illinois.edu (128.174.68.18) with Microsoft SMTP Server (TLS) id 8.3.159.2; Tue, 28 Feb 2012 16:41:51 -0600 Message-ID: <4F4D582F.7070504@illinois.edu> Date: Tue, 28 Feb 2012 16:41:51 -0600 From: Jim Basney User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: kitten@ietf.org References: <20120228165814.5974.31976.idtracker@ietfa.amsl.com> In-Reply-To: <20120228165814.5974.31976.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.3.5 OpenPGP: id=0A33BE15; url=http://www.ncsa.illinois.edu/~jbasney/pgp.asc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 22:41:59 -0000 The changes in draft-ietf-kitten-sasl-saml-ec-01 look good to me. Thanks for adding the clarifying text. My next question is about this paragraph: The SAML SASL Enhanced Clients mechanism is also a GSS-API mechanism. The messages are the same, but a) the GS2 header on the client's first message is excluded when SAML EC is used as a GSS-API mechanism, and b) the RFC2743 section 3.1 initial context token header is prefixed to the client's first authentication message (context token). I'd appreciate if you could confirm if I understand this right. Section 4.2 gives the initial client response as: holder-of-key = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" initial-response = gs2-cb-flag "," [gs2-authzid] "," [holder-of-key] I think the GS2 header part is: gs2-header = gs2-cb-flag "," [gs2-authzid] "," So if we exclude the GS2 header and we don't support holder-of-key, then our first output_token from gss_init_sec_context() is the GSS-API initial context token tag (using OID 1.3.6.1.4.1.11591.4.6) with an empty mechanism-defined token object: 0x60 0x0b 0x06 0x09 0x2b 0x06 0x01 0x04 0x01 0xda 0x47 0x04 0x06 And if we do support holder-of-key, then our first output_token from gss_init_sec_context() has "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" as the mechanism-defined token object, which adds 44 bytes to our initial context token for a total length of 55 (0x37) bytes, giving: 0x60 0x37 0x06 0x09 0x2b 0x06 0x01 0x04 0x01 0xda 0x47 0x04 0x06 0x75 0x72 0x6e 0x3a 0x6f 0x61 0x73 0x69 0x73 0x3a 0x6e 0x61 0x6d 0x65 0x73 0x3a 0x74 0x63 0x3a 0x53 0x41 0x4d 0x4c 0x3a 0x32 0x2e 0x30 0x3a 0x63 0x6d 0x3a 0x68 0x6f 0x6c 0x64 0x65 0x72 0x2d 0x6f 0x66 0x2d 0x6b 0x65 0x79 Have I got that right? Thanks, Jim From nico@cryptonector.com Tue Feb 28 16:31:04 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD6F21F86F9 for ; Tue, 28 Feb 2012 16:31:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.251 X-Spam-Level: X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[AWL=-0.274, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NuK7c4cIgDKZ for ; Tue, 28 Feb 2012 16:31:04 -0800 (PST) Received: from homiemail-a88.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id 0E8D221F86EF for ; Tue, 28 Feb 2012 16:31:04 -0800 (PST) Received: from homiemail-a88.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTP id 9CC0226406B for ; Tue, 28 Feb 2012 16:31:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=lrJxHv6hy1COrVR7bSy/D wBA/jOr3Q1EpUhjBZQM5vSBLlKKAkkA5UMHJ+kFKug8hYPaBHFCa1DH268xm6DdR XC/2ZOdIJSMLxepRfdoTmD4wveiFy5s8+XEfOXwypvRmJVaAtlLhgpSWctm2kR8y HJ9JT0SDc4fbjziH6SNkKc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=7Mo4o3nD6T5SNHUy8FE3 yZCUVMs=; b=dTDhGTfikWaKZEysf+brD/kkp8TywacSnK8pldPhXlFo/mX9yJD5 xQNd2jgNj+ZgeNnE4FugGOmPTx8Ax8DdEzF6lYlZgi1KWO80qbTyuj7vvcXWowkC SAioESi5AyaK1W9s3sS0xg9kH3DRrlDV2bjIoy5VZjYJoR3eN5sbkdw= Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTPSA id 81C29264020 for ; Tue, 28 Feb 2012 16:31:03 -0800 (PST) Received: by pbcwz17 with SMTP id wz17so2723816pbc.31 for ; Tue, 28 Feb 2012 16:31:03 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.136.71 as permitted sender) client-ip=10.68.136.71; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.136.71 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.136.71]) by 10.68.136.71 with SMTP id py7mr7279721pbb.76.1330475463200 (num_hops = 1); Tue, 28 Feb 2012 16:31:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.136.71 with SMTP id py7mr5933907pbb.76.1330475463186; Tue, 28 Feb 2012 16:31:03 -0800 (PST) Received: by 10.68.28.6 with HTTP; Tue, 28 Feb 2012 16:31:03 -0800 (PST) In-Reply-To: <4F4D582F.7070504@illinois.edu> References: <20120228165814.5974.31976.idtracker@ietfa.amsl.com> <4F4D582F.7070504@illinois.edu> Date: Tue, 28 Feb 2012 18:31:03 -0600 Message-ID: From: Nico Williams To: Jim Basney Content-Type: text/plain; charset=UTF-8 Cc: kitten@ietf.org Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:31:04 -0000 On Tue, Feb 28, 2012 at 4:41 PM, Jim Basney wrote: > So if we exclude the GS2 header and we don't support holder-of-key, then > our first output_token from gss_init_sec_context() is the GSS-API > initial context token tag (using OID 1.3.6.1.4.1.11591.4.6) with an > empty mechanism-defined token object: The GSS-API does not permit empty tokens. I'm not sure if an initial context token that is empty but for the pseudo-ASN.1 header is OK. However, I think the right thing to do is to add one constant byte to this one token. > And if we do support holder-of-key, then our first output_token from > gss_init_sec_context() has > "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" as the mechanism-defined > token object, which adds 44 bytes to our initial context token for a > total length of 55 (0x37) bytes, giving: > > 0x60 0x37 0x06 0x09 0x2b 0x06 0x01 0x04 0x01 0xda 0x47 0x04 0x06 0x75 > 0x72 0x6e 0x3a 0x6f 0x61 0x73 0x69 0x73 0x3a 0x6e 0x61 0x6d 0x65 0x73 > 0x3a 0x74 0x63 0x3a 0x53 0x41 0x4d 0x4c 0x3a 0x32 0x2e 0x30 0x3a 0x63 > 0x6d 0x3a 0x68 0x6f 0x6c 0x64 0x65 0x72 0x2d 0x6f 0x66 0x2d 0x6b 0x65 0x79 > > Have I got that right? Er, I've not checked that the above starts with the right pseudo-ASN.1 header, but assuming it does, then yes. Nico -- From cantor.2@osu.edu Tue Feb 28 16:35:31 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2B021F873B for ; Tue, 28 Feb 2012 16:35:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjQjTVgywlvL for ; Tue, 28 Feb 2012 16:35:30 -0800 (PST) Received: from defang23.it.ohio-state.edu (defang23.it.ohio-state.edu [128.146.216.226]) by ietfa.amsl.com (Postfix) with ESMTP id 4B42721F873A for ; Tue, 28 Feb 2012 16:35:30 -0800 (PST) Received: from CIO-TNC-HT06.osuad.osu.edu (cio-tnc-ht06.osuad.osu.edu [164.107.81.171]) by defang23.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id q1T0ZTIK023940; Tue, 28 Feb 2012 19:35:29 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.01.0355.002; Tue, 28 Feb 2012 19:35:29 -0500 From: "Cantor, Scott" To: Jim Basney , "kitten@ietf.org" Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt Thread-Index: AQHM9mo6ceSOgg+Ww0aBX8L+hVarzJZTB0KA Date: Wed, 29 Feb 2012 00:35:29 +0000 Message-ID: In-Reply-To: <4F4D582F.7070504@illinois.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [65.186.211.26] Content-Type: text/plain; charset="us-ascii" Content-ID: <0A8803F0AB1FCC48BCD2EFF70C223AE2@exchange.osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.171; country=US; region=OH; city=Columbus; postalcode=43201; latitude=39.9930; longitude=-82.9985; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9930,-82.9985&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.226 Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:35:31 -0000 On 2/28/12 5:41 PM, "Jim Basney" wrote: > >I'd appreciate if you could confirm if I understand this right. > >Section 4.2 gives the initial client response as: > > holder-of-key =3D "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" > initial-response =3D gs2-cb-flag "," [gs2-authzid] "," [holder-of-key] > >I think the GS2 header part is: > > gs2-header =3D gs2-cb-flag "," [gs2-authzid] "," I think the GS2 header is the entire set of options in that section. That's SASL-specific material for GS2 as a SASL mech. At least, that's been my understanding. I don't believe the holder of key signaling is usable in GSS alone, I put it into the SASL header just because I could. There are out of band means to control use of HoK without needing it to be negotiable inline, I just did it because it was convenient and matched up with the PAOS variant. -- Scott From nico@cryptonector.com Tue Feb 28 16:39:49 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 041E721F8744 for ; Tue, 28 Feb 2012 16:39:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.855 X-Spam-Level: X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[AWL=-0.664, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, SARE_OBFU_PART_INA=0.786] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MFh71Pd0Pma for ; Tue, 28 Feb 2012 16:39:48 -0800 (PST) Received: from homiemail-a74.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id 6559921F8740 for ; Tue, 28 Feb 2012 16:39:48 -0800 (PST) Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 3B3BC67C06E for ; Tue, 28 Feb 2012 16:39:48 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=lOIkiRXjrxDyjR4N4aGy/9mTUapb2YnuGXXHoVH4etZs vnAZJsDR6ZG9OGkBhy2K9sfHupp5qaHezkIqYHbCbWOVBxwIswKMQ+kY9mCpus7K vaIwp78LcafxTakcJhYiHaPH1vqDZX4mLCCyA/fnNs2m7l77V38Xdva5xNxBQgY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=pJ90/8DqvBj/ItDZO51z6SHoxxU=; b=tVihYyqzH8B ohl7NJmylIfdklUzSzS3T4kyKmRqp3rjzoW8WJQZ2Vkq0dSG34+2CHB5BqgFbiB6 1Vsb02YHNRthuvmeS/pvH60yaRK2K3lMsM86Eoji91+o2IMtIE9nAy1FFeZykB9k CRnL61412PGY7oDGpipkGSllQMTL9B0c= Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 24C5567C06B for ; Tue, 28 Feb 2012 16:39:48 -0800 (PST) Received: by dakl33 with SMTP id l33so2800453dak.31 for ; Tue, 28 Feb 2012 16:39:47 -0800 (PST) Received-SPF: pass (google.com: domain of nico@cryptonector.com designates 10.68.208.136 as permitted sender) client-ip=10.68.208.136; Authentication-Results: mr.google.com; spf=pass (google.com: domain of nico@cryptonector.com designates 10.68.208.136 as permitted sender) smtp.mail=nico@cryptonector.com Received: from mr.google.com ([10.68.208.136]) by 10.68.208.136 with SMTP id me8mr60558274pbc.55.1330475987845 (num_hops = 1); Tue, 28 Feb 2012 16:39:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.68.208.136 with SMTP id me8mr50939772pbc.55.1330475987832; Tue, 28 Feb 2012 16:39:47 -0800 (PST) Received: by 10.68.28.6 with HTTP; Tue, 28 Feb 2012 16:39:47 -0800 (PST) In-Reply-To: References: <4F4D582F.7070504@illinois.edu> Date: Tue, 28 Feb 2012 18:39:47 -0600 Message-ID: From: Nico Williams To: "Cantor, Scott" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "kitten@ietf.org" Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:39:49 -0000 On Tue, Feb 28, 2012 at 6:35 PM, Cantor, Scott wrote: > On 2/28/12 5:41 PM, "Jim Basney" wrote: >> >>I'd appreciate if you could confirm if I understand this right. >> >>Section 4.2 gives the initial client response as: >> >> =C2=A0 holder-of-key =3D "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" >> =C2=A0 initial-response =3D gs2-cb-flag "," [gs2-authzid] "," [holder-of= -key] >> >>I think the GS2 header part is: >> >> =C2=A0 gs2-header =3D gs2-cb-flag "," [gs2-authzid] "," > > I think the GS2 header is the entire set of options in that section. > That's SASL-specific material for GS2 as a SASL mech. At least, that's > been my understanding. > > I don't believe the holder of key signaling is usable in GSS alone, I put > it into the SASL header just because I could. There are out of band means > to control use of HoK without needing it to be negotiable inline, I just > did it because it was convenient and matched up with the PAOS variant. RFC5801 defines the gs2-header like this: gs2-header =3D [gs2-nonstd-flag ","] gs2-cb-flag "," [gs2-authzid] "," The gs2-nonstd-flags and gs2-cb-flag are single-character valyes, and the gs2-authzid is "a=3D" saslname. Everything else after that trailing comma in the gs2-header can only be part of the GSS initial security context token. Nico -- From cantor.2@osu.edu Tue Feb 28 16:41:53 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F6C21F8745 for ; Tue, 28 Feb 2012 16:41:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCpJGs6RTbMb for ; Tue, 28 Feb 2012 16:41:42 -0800 (PST) Received: from defang23.it.ohio-state.edu (defang23.it.ohio-state.edu [128.146.216.226]) by ietfa.amsl.com (Postfix) with ESMTP id 381A821F8740 for ; Tue, 28 Feb 2012 16:41:42 -0800 (PST) Received: from CIO-KRC-HT02.osuad.osu.edu (cio-krc-ht02.osuad.osu.edu [164.107.81.40]) by defang23.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id q1T0fWUq026621; Tue, 28 Feb 2012 19:41:37 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-KRC-HT02.osuad.osu.edu ([fe80::8554:1787:2a7:72c9%12]) with mapi id 14.01.0355.002; Tue, 28 Feb 2012 19:41:35 -0500 From: "Cantor, Scott" To: Nico Williams , Jim Basney Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt Thread-Index: AQHM9mo6ceSOgg+Ww0aBX8L+hVarzJZTWdKA//+vJYA= Date: Wed, 29 Feb 2012 00:41:34 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [65.186.211.26] Content-Type: text/plain; charset="us-ascii" Content-ID: <9B37B5291546D645B2AD0C3F6C326A7B@exchange.osu.edu> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.40; country=US; region=OH; city=Columbus; postalcode=43201; latitude=39.9930; longitude=-82.9985; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9930,-82.9985&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.226 Cc: "kitten@ietf.org" Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:41:53 -0000 On 2/28/12 7:31 PM, "Nico Williams" wrote: > >The GSS-API does not permit empty tokens. I'm not sure if an initial >context token that is empty but for the pseudo-ASN.1 header is OK. >However, I think the right thing to do is to add one constant byte to >this one token. I copied that text from the other SAML mechanism (though I don't see it there literally anymore), and Simon ok'd it, so I would assume that it is ok to omit the constant byte. If not, I'll specify something in the next draft. Also, I'm not sure that OID is "official". In fact, I would guess it's not. The SAML mech currently says in draft-09 that the mech OID is TBD, so I would imagine this one is too. I can't honestly even say where it came from. -- Scott From cantor.2@osu.edu Tue Feb 28 16:45:28 2012 Return-Path: X-Original-To: kitten@ietfa.amsl.com Delivered-To: kitten@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE44521F8795 for ; Tue, 28 Feb 2012 16:45:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1LXyDFHZjEg for ; Tue, 28 Feb 2012 16:45:23 -0800 (PST) Received: from defang23.it.ohio-state.edu (defang23.it.ohio-state.edu [128.146.216.226]) by ietfa.amsl.com (Postfix) with ESMTP id 965A321F8796 for ; Tue, 28 Feb 2012 16:45:23 -0800 (PST) Received: from CIO-TNC-HT05.osuad.osu.edu (cio-tnc-ht05.osuad.osu.edu [164.107.81.168]) by defang23.it.ohio-state.edu (8.13.1/8.13.1) with ESMTP id q1T0jCco028257; Tue, 28 Feb 2012 19:45:21 -0500 Received: from CIO-KRC-D1MBX01.osuad.osu.edu ([fe80::450b:35e6:80f4:f3e0]) by CIO-TNC-HT05.osuad.osu.edu ([fe80::d0be:603:484c:5a2f%10]) with mapi id 14.01.0355.002; Tue, 28 Feb 2012 19:45:12 -0500 From: "Cantor, Scott" To: Nico Williams Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt Thread-Index: AQHM9mo6ceSOgg+Ww0aBX8L+hVarzJZTB0KAgABVAYD//622AA== Date: Wed, 29 Feb 2012 00:45:12 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [65.186.211.26] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CanIt-Geo: ip=164.107.81.168; country=US; region=OH; city=Columbus; postalcode=43201; latitude=39.9930; longitude=-82.9985; metrocode=535; areacode=614; http://maps.google.com/maps?q=39.9930,-82.9985&z=6 X-CanItPRO-Stream: outbound X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.146.216.226 Cc: "kitten@ietf.org" Subject: Re: [kitten] I-D Action: draft-ietf-kitten-sasl-saml-ec-01.txt X-BeenThere: kitten@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Common Authentication Technologies - Next Generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 00:45:28 -0000 On 2/28/12 7:39 PM, "Nico Williams" wrote: > >Everything else after that trailing comma in the gs2-header can only >be part of the GSS initial security context token. Ok, my mistake. Then the initial token content as currently defined would be either empty or the HoK constant, and I'll fix the empty case if need be. -- Scott