Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Eran Hammer <eran@hueniverse.com> Fri, 20 January 2012 20:18 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87D721F869A for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 12:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.469
X-Spam-Level:
X-Spam-Status: No, score=-2.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpYn7lQgHJl0 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 12:18:23 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 22F6421F8624 for <oauth@ietf.org>; Fri, 20 Jan 2012 12:18:23 -0800 (PST)
Received: (qmail 27790 invoked from network); 20 Jan 2012 20:18:22 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 20 Jan 2012 20:18:22 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 20 Jan 2012 13:18:17 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Date: Fri, 20 Jan 2012 13:18:07 -0700
Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Thread-Index: Acy9tqAcl+ReDOhSTvOl9f85z8s9vQZ+cmfA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AAB964D3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com> <CAC4RtVBHwtuo6+-mZLkH-1VNs0DM2WXrVGGjY08AR05UocKM_Q@mail.gmail.com>
In-Reply-To: <CAC4RtVBHwtuo6+-mZLkH-1VNs0DM2WXrVGGjY08AR05UocKM_Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 20:18:23 -0000
Added to section 1: TLS Version Whenever TLS is required by this specification, the appropriate version (or versions) of TLS will vary over time, based on the widespread deployment and known security vulnerabilities. At the time of this writing, TLS version 1.2 <xref target='RFC5246' /> is the most recent version, but has a very limited deployment base and might not be readily available for implementation. TLS version 1.0 <xref target='RFC2246' /> is the most widely deployed version, and will provide the broadest interoperability. Implementations MAY also support additional transport-layer mechanisms that meet their security requirements. And referenced this section when TLS requirements were previously defined. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Barry Leiba > Sent: Sunday, December 18, 2011 10:56 AM > To: oauth WG > Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > > To close out this issue: > There's disagreement about whether this proposed text is "necessary", but > no one thinks it's *bad*, and I see consensus to use it. Eran, please make > the following change in two places in the base document: > > > OLD > > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > > support additional transport-layer mechanisms meeting its security > > requirements. > > > NEW > > The authorization server MUST implement TLS. Which version(s) ought > > to be implemented will vary over time, and depend on the widespread > > deployment and known security vulnerabilities at the time of > > implementation. At the time of this writing, TLS version > > 1.2 [RFC5246] is the most recent version, but has very limited actual > > deployment, and might not be readily available in implementation > > toolkits. TLS version 1.0 [RFC2246] is the most widely deployed > > version, and will give the broadest interoperability. > > > > Servers MAY also implement additional transport-layer mechanisms that > > meet their security requirements. > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] TLS version requirements in OAuth 2.0 … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Phil Hunt
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] TLS version requirements in OAuth … Mike Jones
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … William Mills
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Eran Hammer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Igor Faynberg