Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Rob Richards <> Thu, 17 November 2011 11:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 453AD11E80BD for <>; Thu, 17 Nov 2011 03:51:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nbp9eCw+kzrh for <>; Thu, 17 Nov 2011 03:51:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B9B1211E80AD for <>; Thu, 17 Nov 2011 03:51:27 -0800 (PST)
Message-ID: <>
Date: Thu, 17 Nov 2011 06:51:20 -0500
From: Rob Richards <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Barry Leiba <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth WG <>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Nov 2011 11:51:28 -0000

I'm saying that it's very difficult for someone to implement an AS that 
implements TLS 1.2. TLS 1.2 is not supported in the a good number of 
systems people deploy on. For example, the use of Apache and OpenSSL 
accounts for a good number of web servers out there. The only way to 
deploy a conforming AS is to use a not yet released version of openssl, 
1.0.1, and rebuild or use a different crypto library and rebuild. The 
barrier for entry to use OAuth 2.0 has just became to high for the 
majority of people out there. I have already hit a scenario where the 
security group for a company has balked at OAuth 2.0, prior to the 
change relaxing TLS 1.2 usage, because the deployed system did not 
support TLS 1.2 and it's against policy to use non-vendor approved 
versions of packages. Requiring TLS 1.2 is going to cause the majority 
to release non-conforming deployments of OAuth 2, just as it was before 
the previous change.


On 11/17/11 6:18 AM, Barry Leiba wrote:
>> Please refer to this thread about the problem with requiring anything more
>> than TLS 1.0
>> You will end up with a spec that virtually no one can implement and be in
>> conformance with. I still have yet to find an implementation out in the wild
>> that supports anything more than TLS 1.0
> Are you saying that there's some difficulty in *implementing* TLS 1.2
> ?  If so, please explain what that difficulty is.
> If you're saying that TLS 1.2 is not widely deployed, and so it's hard
> to find two implementations that will actually *use* TLS 1.2 to talk
> to each other, I have no argument with you.  But that's not the point.
>   If everyone implements only TLS 1.0, we'll never move forward.  And
> when TLS 1.2 (or something later) does get rolled out, OAuth
> implementations will be left behind.  If everyone implements 1.2 AND
> 1.0, then we'll be ready when things move.
> I'm pretty sure there'll be trouble getting through the IESG with a
> MUST for something two versions old, and a SHOULD for the current
> version.
> Barry