Re: [OAUTH-WG] TLS 1.2
Peter Saint-Andre <stpeter@stpeter.im> Tue, 16 August 2011 20:03 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E94E21F8A69 for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 13:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.617
X-Spam-Level:
X-Spam-Status: No, score=-102.617 tagged_above=-999 required=5 tests=[AWL=-0.018, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIy4qsTBaL37 for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 13:03:49 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 7484321F8A66 for <oauth@ietf.org>; Tue, 16 Aug 2011 13:03:49 -0700 (PDT)
Received: from dhcp-64-101-72-239.cisco.com (unknown [64.101.72.239]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 934494150D; Tue, 16 Aug 2011 14:06:34 -0600 (MDT)
Message-ID: <4E4ACD53.2010404@stpeter.im>
Date: Tue, 16 Aug 2011 14:04:35 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <4E458571.1070500@cdatazone.org> <4E4AC6BA.2090007@cdatazone.org> <1313524116.13419.81.camel@ground> <90C41DD21FB7C64BB94121FBBC2E7234502498D1B0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498D1B0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 1.2
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS 1.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2011 20:03:50 -0000
How's this? The authorization server MUST support Transport Layer Security (at the time of this writing, the latest version is specified in [RFC5246]). It MAY support additional transport-layer mechanisms meeting its security requirements. On 8/16/11 1:55 PM, Eran Hammer-Lahav wrote: > We should relax it. Just need someone to propose new language. > > EHL > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Justin Richer >> Sent: Tuesday, August 16, 2011 12:49 PM >> To: Rob Richards >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] TLS 1.2 >> >> As I recall, the logic of the group here was something like: >> >> "We want transport-layer encryption, so let's grab the latest version of that >> around, which looks to be TLS 1.2" >> >> With that logic in mind, this relaxation makes sense to me. Does anyone >> remember this requirement differently? >> >> -- Justin >> (who admittedly couldn't tell the difference between SSL and TLS) >> >> On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote: >>> I wanted to follow up on this and see if there was any consideration >>> to relaxing this requirement. Can someone actually point me to a >>> compliant implementation using TLS 1.2 because after looking at a >>> number of them, I have yet to find one that does. >>> >>> Rob >>> >>> On 8/12/11 3:56 PM, Rob Richards wrote: >>>> The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). >>>> Based on a thread about this from last year I was under the >>>> impression that it was going to be relaxed to a SHOULD with most >>>> likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit >>>> unrealistic to require >>>> 1.2 when many systems out there can't support it. IMO this is going >>>> to be a big stumbling block for people to implement a compliant >>>> OAuth system. Even PCI doesn't require 1.2. >>>> >>>> Rob >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Peter Saint-Andre https://stpeter.im/
- [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Justin Richer
- Re: [OAUTH-WG] TLS 1.2 Eran Hammer-Lahav
- Re: [OAUTH-WG] TLS 1.2 Peter Saint-Andre
- Re: [OAUTH-WG] TLS 1.2 Phillip Hunt
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Eran Hammer-Lahav
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Lu, Hui-Lan (Huilan)