Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

William Mills <wmills@yahoo-inc.com> Sun, 11 December 2011 17:28 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A576A21F8436 for <oauth@ietfa.amsl.com>; Sun, 11 Dec 2011 09:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.565
X-Spam-Level:
X-Spam-Status: No, score=-17.565 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtkbR885KZlH for <oauth@ietfa.amsl.com>; Sun, 11 Dec 2011 09:28:20 -0800 (PST)
Received: from nm28.bullet.mail.sp2.yahoo.com (nm28.bullet.mail.sp2.yahoo.com [98.139.91.98]) by ietfa.amsl.com (Postfix) with SMTP id 7F54021F8435 for <oauth@ietf.org>; Sun, 11 Dec 2011 09:28:20 -0800 (PST)
Received: from [98.139.91.62] by nm28.bullet.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000
Received: from [98.139.91.15] by tm2.bullet.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000
Received: from [127.0.0.1] by omp1015.mail.sp2.yahoo.com with NNFMP; 11 Dec 2011 17:28:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 637005.84451.bm@omp1015.mail.sp2.yahoo.com
Received: (qmail 42921 invoked by uid 60001); 11 Dec 2011 17:28:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1323624494; bh=kwSkLS24NbVjixB67lj0kKOAExt40At+G8nVEy+twxA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=sxRXcl72Hiqk0HZHZRwtqBCkLIBhHpTkupdfyqZPQVHqmAkNYJ++7jDv/QkQ3YMEOQ8j3DP71vdTu3bbs151o2FkzG6GzzeP2QpaDUmsYVBbbPSOYhDWOM7JPo3YQhT3DltwXpn2S9bV3Pp27u2t0tAGjNen31dpcKX2NLuu2R8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Ldr42hf02eRxr1icVXiczI3jlmw4ky601DUWj66ZPdO/kiOP/Kg+tQvG6CuD7o7nwFr5zn+fZf+k7YAy1PzQDtrzRzfoggmBDphKqL5FLR/H2O7an5WYzM0WgUVnw1kXN6vKLkpohgXi4Jw9cvfa/+MHyEVDx7FoFGqb09x/730=;
X-YMail-OSG: uMW401cVM1kog06mxRnfsbevzpKdf5uEcEgOTOXvpoMAhDx rXvhwLu7j3kqnjTNAFl_Q0ZRGiMua.0VTrEOiHm0Nwr0Xdglhb9XNxEF5FRI gBOwcCFfBJjidP3eN7e49D4_kj0dZDiQ5pLhrr8TIj22bbVBT1j2MJI.i4Hh uyc_64M80qyh3mSnK9BzoDSQyfyO7bOSJWkaELFREyippzwcY_2dWXJLkeu. 2vgxfqqBxfc0j2d_JmD5GMzeoAhDmzCTkELNqQWfjymxFSKKN0Ng2EZ.tjXG mCVxbVtf9QdzXLMQlhOxiTrYIcE84iQr.V8J4PK4p7Pru86wg8vzHQ2RWh7Q kyxuc2ezQpskc71tgTTo95f4UR9zlCJkrdDlpK4uNXbK9KdPiBvBYEBbd30l NXPwyM1Sz8.8WAoPFQFDeeajn_hXoY4n4xJq9fFSQwLE.0VqWzMXaqwh3pBU N3L7FND0fsNtqUuk-
Received: from [99.31.212.42] by web31812.mail.mud.yahoo.com via HTTP; Sun, 11 Dec 2011 09:28:13 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.331537
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com> <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie> <4ED7EAA2.40402@stpeter.im> <4E1F6AAD24975D4BA5B16804296739435F75C320@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EE3B24D.6000907@cdatazone.org>
Message-ID: <1323624493.42216.YahooMailNeo@web31812.mail.mud.yahoo.com>
Date: Sun, 11 Dec 2011 09:28:13 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Rob Richards <rrichards@cdatazone.org>, Mike Jones <Michael.Jones@microsoft.com>
In-Reply-To: <4EE3B24D.6000907@cdatazone.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1458549034-1054284888-1323624493=:42216"
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Dec 2011 17:28:21 -0000

I think it's overkill, but I don't think it causes any problems.



________________________________
 From: Rob Richards <rrichards@cdatazone.org>
To: Mike Jones <Michael.Jones@microsoft.com> 
Cc: Barry Leiba <barryleiba@computer.org>; oauth WG <oauth@ietf.org> 
Sent: Saturday, December 10, 2011 11:26 AM
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
 
I am fine with it

Rob

On 12/9/11 1:30 PM, Mike Jones wrote:
> It looks to me like there is consensus for Barry's text (below).  Agreed?
>
>                 -- Mike
>
> NEW
> --------------------------------------------
> The authorization server MUST implement TLS.  Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation.  At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits.  TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability.
>
> Servers MAY also implement additional transport-layer mechanisms that meet their security requirements.
> --------------------------------------------
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Peter Saint-Andre
> Sent: Thursday, December 01, 2011 12:59 PM
> To: Stephen Farrell
> Cc: Barry Leiba; oauth WG
> Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
>
> On 12/1/11 1:57 PM, Stephen Farrell wrote:
>>
>> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
>>> On 12/1/11 1:09 PM, Rob Richards wrote:
>>>> On 11/28/11 10:39 PM, Barry Leiba wrote:
>>>>>> The OAuth base doc refers in two places to TLS versions (with the
>>>>>> same text in both places:
>>>>>>
>>>>>> OLD
>>>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
>>>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
>>>>>> support additional transport-layer mechanisms meeting its security
>>>>>> requirements.
>>>>>>
>>>>>> In both the shepherd review and the AD review, this was called
>>>>>> into
>>>>>> question:
>>>>>> 1. MUST for an old version and SHOULD for the current version
>>>>>> seems wrong.
>>>>>> 2. Having specific versions required locks us into those versions
>>>>>> (for example, all implementations will have to support TLS 1.0,
>>>>>> even long after it becomes obsolete, unless we rev the spec.
>>>>> The comments I've gotten on this show a clear consensus against the
>>>>> change I suggest, and against any attempt to require a version of
>>>>> TLS other than 1.0.  I still, though, am concerned that locking
>>>>> this spec into TLS 1.0 is limiting.  So let me propose an
>>>>> alternative wording, which again tries to make the version(s)
>>>>> non-normative, while making it clear which version(s) need to be
>>>>> implemented to get
>>>>> interoperability:
>>>>>
>>>>> NEW
>>>>> --------------------------------------------
>>>>> The authorization server MUST implement TLS.  Which version(s)
>>>>> ought to be implemented will vary over time, and depend on the
>>>>> widespread deployment and known security vulnerabilities at the
>>>>> time of implementation.  At the time of this writing, TLS version
>>>>> 1.2 [RFC5246] is the most recent version, but has very limited
>>>>> actual deployment, and might not be readily available in
>>>>> implementation toolkits.  TLS version 1.0 [RFC2246] is the most
>>>>> widely deployed version, and will give the broadest
>>>>> interoperability.
>>>>>
>>>>> Servers MAY also implement additional transport-layer mechanisms
>>>>> that meet their security requirements.
>>>>> --------------------------------------------
>>>>>
>>>>> Comments on this version?
>>>>>
>>>>> Barry
>>>>>
>>>> Text is neutral enough for me as it's not mandating anything that
>>>> isn't readily available. Only comment is whether or not there is a
>>>> need to even talk about the specific versions or if just the
>>>> following is
>>>> enough:
>>>>
>>>> The authorization server MUST implement TLS. Which version(s) ought
>>>> to be implemented will vary over time, and depend on the widespread
>>>> deployment and known security vulnerabilities at the time of
>>>> implementation.
>>>>
>>>> Servers MAY also implement additional transport-layer mechanisms
>>>> that meet their security requirements.
>>> That seems fine to me.
>> FWIW, I think I'd prefer Barry's as Rob's would be more likely to
>> generate discusses and we do know that there are some security
>> advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if
>> the BEAST attack might affect oauth? Be good to know if someone's done
>> that analysis.)
>>
>> However, as AD, I could live with either, since lots of other specs
>> just say TLS. (But you need to point to the latest RFC as normative or
>> that will I bet generate discusses.)
> Agreed.
>
> Peter
>
> --
> Peter Saint-Andre
> https://stpeter.im/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth