Re: I-D Action: draft-ietf-kitten-sasl-oauth-01.txt

>________________________________
> From: Simon Josefsson <simon <at> josefsson.org>
>To: William Mills <wmills <at> yahoo-inc.com> 
>Cc: "kitten <at> ietf.org" <kitten <at> ietf.org> 
>Sent: Thursday, May 31, 2012 12:07 AM
>Subject: Re: I-D Action: draft-ietf-kitten-sasl-oauth-01.txt
> 
>This version looks much better to me -- thanks!
>
>As we discovered for RFC 6595, you may want to expand the TLS
>certificate verification text with some RFC 6125 wording.  See fifth
>paragraph of section 4 of RFC 6595.  It should also explain which
>identity string is compared to what's in the certificate.

I'll take a look, thanks.

>
>Also, it seems this variant supports the PLUS channel-binding enabled
>variant (I have not read the draft in detail there, but it is
>mentioned), so shouldn't it then also be able to support per-message
>tokens and GSS_Pseudo_random?  This could be done similar to SAML20EC
>(which is work in progress, but the mechanism it eventually uses could
>be the same).

Yes, it's -PLUS instead of doing CB in a single profile.  In the draft it
discusses the fact that some auth profiles have secrets that can be used
for per message signing, so I think it COULD support per message tokens. If
there is no shared secret to use I don't think there's a way to bootstrap 

this in channel that increases the security properties.

>
>/Simon
>
>
>