Re: [OAUTH-WG] TLS 1.2
Rob Richards <rrichards@cdatazone.org> Tue, 16 August 2011 20:33 UTC
Return-Path: <rrichards@cdatazone.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2470B21F8B34 for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 13:33:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UR+QXKAp57uk for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 13:33:46 -0700 (PDT)
Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id 8430821F8B28 for <oauth@ietf.org>; Tue, 16 Aug 2011 13:33:46 -0700 (PDT)
Received: from dsl-67-158-171-203.fairpoint.net ([67.158.171.203] helo=Rob-Richardss-MacBook-Pro.local) by smtp2go.com with esmtp (Exim 4.69) (envelope-from <rrichards@cdatazone.org>) id 1QtQLF-00031d-Cf; Tue, 16 Aug 2011 20:34:29 +0000
Message-ID: <4E4AD454.9040302@cdatazone.org>
Date: Tue, 16 Aug 2011 16:34:28 -0400
From: Rob Richards <rrichards@cdatazone.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4E458571.1070500@cdatazone.org> <4E4AC6BA.2090007@cdatazone.org> <1313524116.13419.81.camel@ground> <90C41DD21FB7C64BB94121FBBC2E7234502498D1B0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E4ACD53.2010404@stpeter.im>
In-Reply-To: <4E4ACD53.2010404@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS 1.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2011 20:33:47 -0000
After dealing with a few companies' security teams over the spec, I don't think it should be allowed too much room for interpretation and needs to be spelled out clearly. They would most likely interpret that as requiring the latest version of TLS at the time of implementation. Maybe something more along the lines of: The authorization server SHOULD support TLS 1.2 as defined in [RFC5246] but at a minimum MUST support TLS 1.0 as defined in [RFC2246], and MAY support additional transport-layer mechanisms meeting its security requirements. On 8/16/11 4:04 PM, Peter Saint-Andre wrote: > How's this? > > The authorization server MUST support Transport Layer Security > (at the time of this writing, the latest version is specified in > [RFC5246]). It MAY support additional transport-layer mechanisms > meeting its security requirements. > > On 8/16/11 1:55 PM, Eran Hammer-Lahav wrote: >> We should relax it. Just need someone to propose new language. >> >> EHL >> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Justin Richer >>> Sent: Tuesday, August 16, 2011 12:49 PM >>> To: Rob Richards >>> Cc: oauth@ietf.org >>> Subject: Re: [OAUTH-WG] TLS 1.2 >>> >>> As I recall, the logic of the group here was something like: >>> >>> "We want transport-layer encryption, so let's grab the latest version of that >>> around, which looks to be TLS 1.2" >>> >>> With that logic in mind, this relaxation makes sense to me. Does anyone >>> remember this requirement differently? >>> >>> -- Justin >>> (who admittedly couldn't tell the difference between SSL and TLS) >>> >>> On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote: >>>> I wanted to follow up on this and see if there was any consideration >>>> to relaxing this requirement. Can someone actually point me to a >>>> compliant implementation using TLS 1.2 because after looking at a >>>> number of them, I have yet to find one that does. >>>> >>>> Rob >>>> >>>> On 8/12/11 3:56 PM, Rob Richards wrote: >>>>> The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). >>>>> Based on a thread about this from last year I was under the >>>>> impression that it was going to be relaxed to a SHOULD with most >>>>> likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit >>>>> unrealistic to require >>>>> 1.2 when many systems out there can't support it. IMO this is going >>>>> to be a big stumbling block for people to implement a compliant >>>>> OAuth system. Even PCI doesn't require 1.2. >>>>> >>>>> Rob >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Justin Richer
- Re: [OAUTH-WG] TLS 1.2 Eran Hammer-Lahav
- Re: [OAUTH-WG] TLS 1.2 Peter Saint-Andre
- Re: [OAUTH-WG] TLS 1.2 Phillip Hunt
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Eran Hammer-Lahav
- Re: [OAUTH-WG] TLS 1.2 Rob Richards
- Re: [OAUTH-WG] TLS 1.2 Lu, Hui-Lan (Huilan)