IETF Logo Mail Archive

Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Justin Richer <jricher@mitre.org> Thu, 17 November 2011 15:28 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF3011E8144 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 07:28:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.699
X-Spam-Level:
X-Spam-Status: No, score=-6.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QHW0RkD1IW9I for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 07:28:41 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A129411E8108 for <oauth@ietf.org>; Thu, 17 Nov 2011 07:28:41 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 45F7221B16E2; Thu, 17 Nov 2011 10:28:41 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 39D7E21B16D7; Thu, 17 Nov 2011 10:28:41 -0500 (EST)
Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server id 14.1.339.1; Thu, 17 Nov 2011 10:28:40 -0500
Message-ID: <1321543706.7567.140.camel@ground>
From: Justin Richer <jricher@mitre.org>
To: Rob Richards <rrichards@cdatazone.org>
Date: Thu, 17 Nov 2011 10:28:26 -0500
In-Reply-To: <4EC4F538.6000406@cdatazone.org>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <4EC4EAE6.1020106@cdatazone.org> <CALaySJKTS6D=+JL55QX2aHdUoamgruT0EM0MezVTdVvQQemruw@mail.gmail.com> <4EC4F538.6000406@cdatazone.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.1-
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 15:28:42 -0000

Agree with Rob here. Also, from an application and service developer's
perspective, the check for "TLS compliance" is going to go something
like this:

1) Does that url start with "https"?
2) If yes, I'm compliant!
3) If no, make the url start with "https"
4) Done!

Which will put us in exactly the position Rob outlines here. What we
really want is for people to use suitable socket encryption, whatever
that means at the time of deployment.

 -- Justin

On Thu, 2011-11-17 at 06:51 -0500, Rob Richards wrote:
> I'm saying that it's very difficult for someone to implement an AS that 
> implements TLS 1.2. TLS 1.2 is not supported in the a good number of 
> systems people deploy on. For example, the use of Apache and OpenSSL 
> accounts for a good number of web servers out there. The only way to 
> deploy a conforming AS is to use a not yet released version of openssl, 
> 1.0.1, and rebuild or use a different crypto library and rebuild. The 
> barrier for entry to use OAuth 2.0 has just became to high for the 
> majority of people out there. I have already hit a scenario where the 
> security group for a company has balked at OAuth 2.0, prior to the 
> change relaxing TLS 1.2 usage, because the deployed system did not 
> support TLS 1.2 and it's against policy to use non-vendor approved 
> versions of packages. Requiring TLS 1.2 is going to cause the majority 
> to release non-conforming deployments of OAuth 2, just as it was before 
> the previous change.
> 
> Rob
> 
> On 11/17/11 6:18 AM, Barry Leiba wrote:
> >> Please refer to this thread about the problem with requiring anything more
> >> than TLS 1.0
> >> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
> >>
> >> You will end up with a spec that virtually no one can implement and be in
> >> conformance with. I still have yet to find an implementation out in the wild
> >> that supports anything more than TLS 1.0
> > Are you saying that there's some difficulty in *implementing* TLS 1.2
> > ?  If so, please explain what that difficulty is.
> >
> > If you're saying that TLS 1.2 is not widely deployed, and so it's hard
> > to find two implementations that will actually *use* TLS 1.2 to talk
> > to each other, I have no argument with you.  But that's not the point.
> >   If everyone implements only TLS 1.0, we'll never move forward.  And
> > when TLS 1.2 (or something later) does get rolled out, OAuth
> > implementations will be left behind.  If everyone implements 1.2 AND
> > 1.0, then we'll be ready when things move.
> >
> > I'm pretty sure there'll be trouble getting through the IESG with a
> > MUST for something two versions old, and a SHOULD for the current
> > version.
> >
> > Barry
> >
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email