IETF Logo Mail Archive

Re: [OAUTH-WG] Referencing TLS

John Bradley <ve7jtb@ve7jtb.com> Fri, 03 April 2015 20:35 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8551A0250 for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 13:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xr6aptNPp25J for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 13:35:18 -0700 (PDT)
Received: from mail-qc0-f175.google.com (mail-qc0-f175.google.com [209.85.216.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331B21A000B for <oauth@ietf.org>; Fri, 3 Apr 2015 13:35:18 -0700 (PDT)
Received: by qcay5 with SMTP id y5so95514172qca.1 for <oauth@ietf.org>; Fri, 03 Apr 2015 13:35:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=xSWO6S5Hk1qISMQaZ8J4NdodofDYlv7u1uxNSxde76k=; b=COIZqmmaxCGOrUAUGkncoNoZMr9Sdk+AIKdx96lSozX0hXsosArkrvdR+lpfalh8PX Dnh+cm42b/DBcSse6HKxe5qWQaExlY1nqhR9PUrnTNxmUQkA5uWEkIhSksBuq0/fUXGA sngjJzB9san0si/I1GRdKDsdnnCTh9++tji3biuGix8SEM9dqJxa39rp0abQ6N7rSbHK 9UR5dSHGmZ7VehnBScioaoLLD4UfnZDWXkeCrCLCYI9Pe3oLU/L3e3VKv8QuzMu9MbkL NXq/VfJJZ/QnZFc7KMG6J6roNaA2+ryiUH/xSKbPisLsFV5lZNukv+Y+ZoMEPVt6gTx9 Fk/Q==
X-Gm-Message-State: ALoCoQnOuoHRNxQK8Rv5xPXOPA7heNHbMb96xu8bvRVvIIYz2Yr1sCTILhWA9L5YOxy3ANAtEcaI
X-Received: by 10.140.132.199 with SMTP id 190mr4878580qhe.24.1428093317327; Fri, 03 Apr 2015 13:35:17 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.138.91]) by mx.google.com with ESMTPSA id 33sm5732879qkv.22.2015.04.03.13.35.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Apr 2015 13:35:16 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <51BF88CA-290A-4F57-82E9-C2A536EDCA8C@mnt.se>
Date: Fri, 03 Apr 2015 17:35:11 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD881DF9-45B7-42D1-9C8D-29D3DBC16469@ve7jtb.com>
References: <551DADCB.9040803@cs.tcd.ie> <551ED488.7000101@gmx.net> <C8F7F75D-A2B9-48DB-A438-9FDF8E4051EC@ve7jtb.com> <51BF88CA-290A-4F57-82E9-C2A536EDCA8C@mnt.se>
To: Leif Johansson <leifj@mnt.se>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/F3NP3BU2hyUkO3jJCwQGf9K-sNg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Referencing TLS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 20:35:20 -0000

Thats true, most will never make it to the security considerations in the first place.  

For those that do getting the message out that TLS versions below 1.2 are not OK and pointing them to the BCP for the other 18 pages of info on the finer points of cypher suite selection and other really good stuff is probably the way to go.

I thought the draft BCP was quite good, but the key point about TLS version is down in 3.1.1 and many people won't get that far if I know developers.

Pointing at the BCP is defiantly the correct thing to do.  Hitting the highpoint in the main spec doesn't hurt and might just remind some people who see stuff about DTLS and Cypher Suites in the BCP and have there brains turn off.

John B.

> On Apr 3, 2015, at 5:08 PM, Leif Johansson <leifj@mnt.se> wrote:
> 
> 
> 
> 
>> 3 apr 2015 kl. 21:16 skrev John Bradley <ve7jtb@ve7jtb.com>:
>> 
>> Yes it is good, though reading that BCP may scare off implementers who will just ignore it. 
> 
> Those people are gona ignore a bunch of other good advise too. Lets not chase the rabbit down every hole.
> 
>> 
>> We may still want to give the current advice of >= tls 1.2 at the point of publication see BCP xx for additional considerations. 
>> 
>> John B. 
>> 
>> 
>> Sent from my iPhone
>> 
>>> On Apr 3, 2015, at 2:57 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> 
>>> I learned something new: we can reference a BCP (instead of an RFC) and
>>> even if the RFC gets up-dated we will still have a stable reference.
>>> (See Stephen's response to my question below).
>>> 
>>> This is what we should do for our documents when we reference TLS in the
>>> future. We would reference the yet-to-become BCP (currently UTA-TLS
>>> document) and we essentially point to the recommended usage for TLS
>>> (version, ciphersuite, everything).
>>> 
>>> Isn't that great?
>>> 
>>> --------------------------------------------------------
>>> 
>>>> On 02/04/15 19:09, Hannes Tschofenig wrote:
>>>> Hi Stephen,
>>>> 
>>>> if I understand it correctly, you are saying if we reference a BCP #
>>>> (instead of the RFC) then a revised RFC will get the same BCP #. I have
>>>> never heard about that and if that's indeed true that would be cool. I
>>>> might also have misunderstood your idea though.
>>> 
>>> Yep, that's it. XML2RFC makes it hard but you can do it, worst
>>> case via an RFC editor note
>>> 
>>> S.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email