Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Barry Leiba <barryleiba@computer.org> Tue, 29 November 2011 03:39 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84F3921F8B3F for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 19:39:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.147
X-Spam-Level:
X-Spam-Status: No, score=-103.147 tagged_above=-999 required=5 tests=[AWL=-0.170, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-+NweP-vq+G for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2011 19:39:45 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2A521F8B3B for <oauth@ietf.org>; Mon, 28 Nov 2011 19:39:45 -0800 (PST)
Received: by yenl2 with SMTP id l2so261924yen.31 for <oauth@ietf.org>; Mon, 28 Nov 2011 19:39:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=7uKjbrZQo6Y6M3D8/GhGAWYAdiTr7iVkThdkw76WI78=; b=pOpaUY8BmtZBwT2RfbpXqnTii/SWM/D4C7kdJoQE3WWRusztbqNHjkkQMfJd7OdumJ sWuIimLrLw0anRpiDooYkda+0vyW05T/fYDGvZDrIxSdIeCncbC+swr07lsJ+Ge/1+Bq +KXD4KeEY1I/5XuVXgRxFVCxdRST3dIZz4rkI=
MIME-Version: 1.0
Received: by 10.236.181.234 with SMTP id l70mr66295322yhm.49.1322537985297; Mon, 28 Nov 2011 19:39:45 -0800 (PST)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.146.107.9 with HTTP; Mon, 28 Nov 2011 19:39:45 -0800 (PST)
In-Reply-To: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com>
Date: Mon, 28 Nov 2011 22:39:45 -0500
X-Google-Sender-Auth: OLK9WSlffBbpCZgh-_ey0gM7-zU
Message-ID: <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 03:39:46 -0000
> The OAuth base doc refers in two places to TLS versions (with the same > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > > In both the shepherd review and the AD review, this was called into question: > 1. MUST for an old version and SHOULD for the current version seems wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. The comments I've gotten on this show a clear consensus against the change I suggest, and against any attempt to require a version of TLS other than 1.0. I still, though, am concerned that locking this spec into TLS 1.0 is limiting. So let me propose an alternative wording, which again tries to make the version(s) non-normative, while making it clear which version(s) need to be implemented to get interoperability: NEW -------------------------------------------- The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability. Servers MAY also implement additional transport-layer mechanisms that meet their security requirements. -------------------------------------------- Comments on this version? Barry
- [OAUTH-WG] TLS version requirements in OAuth 2.0 … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Phil Hunt
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] TLS version requirements in OAuth … Mike Jones
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … William Mills
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Eran Hammer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Igor Faynberg