IETF Logo Mail Archive

Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Anthony Nadalin <tonynad@microsoft.com> Thu, 17 November 2011 11:32 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82E2621F9C10 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.417
X-Spam-Level:
X-Spam-Status: No, score=-7.417 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1jXhUwJIEST for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:32:12 -0800 (PST)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 8FC7E21F9C09 for <oauth@ietf.org>; Thu, 17 Nov 2011 03:32:12 -0800 (PST)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 03:32:12 -0800
Received: from DB3EHSOBE001.bigfish.com (157.54.51.80) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.1.355.3; Thu, 17 Nov 2011 03:32:12 -0800
Received: from mail25-db3-R.bigfish.com (10.3.81.240) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Nov 2011 11:31:37 +0000
Received: from mail25-db3 (localhost.localdomain [127.0.0.1]) by mail25-db3-R.bigfish.com (Postfix) with ESMTP id 52448190320 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 17 Nov 2011 11:31:57 +0000 (UTC)
X-SpamScore: -31
X-BigFish: PS-31(zz9371K542M1432Nzz1202h1082kzz1033IL8275dhz31h2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:157.55.157.141; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0304HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
X-FB-SS: 13,
Received-SPF: softfail (mail25-db3: transitioning domain of microsoft.com does not designate 157.55.157.141 as permitted sender) client-ip=157.55.157.141; envelope-from=tonynad@microsoft.com; helo=SN2PRD0304HT003.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail25-db3 (localhost.localdomain [127.0.0.1]) by mail25-db3 (MessageSwitch) id 1321529517177986_6335; Thu, 17 Nov 2011 11:31:57 +0000 (UTC)
Received: from DB3EHSMHS019.bigfish.com (unknown [10.3.81.249]) by mail25-db3.bigfish.com (Postfix) with ESMTP id 1B69774804C; Thu, 17 Nov 2011 11:31:57 +0000 (UTC)
Received: from SN2PRD0304HT003.namprd03.prod.outlook.com (157.55.157.141) by DB3EHSMHS019.bigfish.com (10.3.87.119) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 17 Nov 2011 11:31:34 +0000
Received: from SN2PRD0304MB235.namprd03.prod.outlook.com ([169.254.10.245]) by SN2PRD0304HT003.namprd03.prod.outlook.com ([10.111.196.122]) with mapi id 14.16.0082.000; Thu, 17 Nov 2011 11:32:05 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Barry Leiba <barryleiba@computer.org>, Rob Richards <rrichards@cdatazone.org>
Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Thread-Index: AQHMpQS7Auve7+zH8EmS+jD2gTHFwJWw6BoAgAADLICAAANh0A==
Date: Thu, 17 Nov 2011 11:32:04 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E73A8BFCBC@SN2PRD0304MB235.namprd03.prod.outlook.com>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <4EC4EAE6.1020106@cdatazone.org> <CALaySJKTS6D=+JL55QX2aHdUoamgruT0EM0MezVTdVvQQemruw@mail.gmail.com>
In-Reply-To: <CALaySJKTS6D=+JL55QX2aHdUoamgruT0EM0MezVTdVvQQemruw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.196.25]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0304HT003.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CDATAZONE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 11:32:17 -0000

And if the servers don't implement the "should" on 1.0 how do we get deployments for the other actors that can't talk to 1.2

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Barry Leiba
Sent: Thursday, November 17, 2011 3:19 AM
To: Rob Richards
Cc: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

> Please refer to this thread about the problem with requiring anything 
> more than TLS 1.0 
> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
>
> You will end up with a spec that virtually no one can implement and be 
> in conformance with. I still have yet to find an implementation out in 
> the wild that supports anything more than TLS 1.0

Are you saying that there's some difficulty in *implementing* TLS 1.2 ?  If so, please explain what that difficulty is.

If you're saying that TLS 1.2 is not widely deployed, and so it's hard to find two implementations that will actually *use* TLS 1.2 to talk to each other, I have no argument with you.  But that's not the point.
 If everyone implements only TLS 1.0, we'll never move forward.  And when TLS 1.2 (or something later) does get rolled out, OAuth implementations will be left behind.  If everyone implements 1.2 AND 1.0, then we'll be ready when things move.

I'm pretty sure there'll be trouble getting through the IESG with a MUST for something two versions old, and a SHOULD for the current version.

Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email