[OAUTH-WG] OAuth 2.1 and TLS
Roberto Polli <robipolli@gmail.com> Tue, 16 February 2021 17:00 UTC
Return-Path: <robipolli@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928893A0BB3 for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2021 09:00:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVDgrP5NQ6bi for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2021 08:59:58 -0800 (PST)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B253A0CE2 for <oauth@ietf.org>; Tue, 16 Feb 2021 08:59:48 -0800 (PST)
Received: by mail-il1-x134.google.com with SMTP id o15so8845889ilt.6 for <oauth@ietf.org>; Tue, 16 Feb 2021 08:59:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=qPAmAsx22+qMJVzPrChXxrH/cQ9oAuszjcZE01al6IE=; b=A0QQBZcxVkCO/GiahUmT4ARAQAlrYonHbV92gOmmdlgVATjes68VhfmDK8536+ZlYZ LF1h//m7AZarr3geUMnQNRcTHCcbSWdM7NF6sROZSQCJwtIE8crULf4jCXlE2vHg7tDs um4Uy4JBr4WRnh4MRHIw6/4McsTCoAIS55bA+/D0Y//QsDvsSmLQrHdMieaDfp+oL17M ZECtVoyJNZayHeT/ekZ21nGNLG8gUgm0WvFjWNQM/2XSsw+VQAuAygTWX8LPbe75SQFQ upHq1+YUQPMWOHziuMHc/8CjUY95p3Le4HEfNOulJNC19i5O8MI3NaSg5DDhI70iD7d0 Cg+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=qPAmAsx22+qMJVzPrChXxrH/cQ9oAuszjcZE01al6IE=; b=RKljy2goaN3a+iCPNQlY6TM3eb0fzV34/2/UnnjSHTgVYuY6WDTZDvKWJOr+gLnbKT hXxD5glsLLou4Jy4jdPb2MwPLLkoigxCOGU1uoHBV5revUYQUpnzb23xIv1xYG1jxRER 5xp18JobJk2TK5N2e5mvfvn5OPksanZk9CiU3WVhWxRCdaZpvqqJVl3YC+Why4a6XZsW 3J/EttNYmQZzZbdI7cPvtBt9Of15NKWxnm2Fnq2QlEOLYd7jO5T6SgtI3MYAlzeAMBAA 7gVUopfc9DZbOtIpLOC6586eM4S6w4f2H1ErB4AdaB99LeZY/CF7tNHu3pHqfngn+ACG w//Q==
X-Gm-Message-State: AOAM532qGvqVU7aks62qQ5Ye8kqQdkrT1xfeCiAXuI90Q0brrtkzcOdK 3ZBnWw8jin2J2++1vkrmxwHdJ5u9+MpmtvC491DkSzGHdEsOJg==
X-Google-Smtp-Source: ABdhPJwu8j9HHg/6A4UH97tn7HH7RN3ycMj/0k9JXpxLx0nwi4PTajDgSy02flPYX4TlOEwvb7Dp40Z7q/fxvZCzaY8=
X-Received: by 2002:a92:1e12:: with SMTP id e18mr17620055ile.270.1613494787111; Tue, 16 Feb 2021 08:59:47 -0800 (PST)
MIME-Version: 1.0
From: Roberto Polli <robipolli@gmail.com>
Date: Tue, 16 Feb 2021 17:59:36 +0100
Message-ID: <CAP9qbHVyeSKgZi4+KBOxi0OLny=GaTBrsygCSPwanLssLtm5Lg@mail.gmail.com>
To: oauth@ietf.org
Cc: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
Content-Type: multipart/alternative; boundary="000000000000a2018405bb7707de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iXJ1-W3aP5zMF611vj5L-A7QB4E>
Subject: [OAUTH-WG] OAuth 2.1 and TLS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 17:00:04 -0000
Hi everybody, I provided some feedback on TLS usage on OAuth 2.1. You can find it in this commentable PR: - https://github.com/aaronpk/oauth-v2-1/pull/30/files As a first-time reader of this I-D I found that the various references to TLS were a bit confusing because: - sometimes it was explicitly stated as MUST - sometimes it was not mentioned - in other parts it's MAY not use TLS (eg. `loopback`). Moreover various information on how to process TLS were given: I am not sure whether this makes the spec more secure or less secure, as there are spec related to TLS security including RFC8740 which does not seem to be included (it's not in BCP195, which applies to TLS<=1.2). Probably we need a way to delegate elsewhere all the quirks of TLS/whatever channel security mechanism is used. The general idea of the above PR is to: - move everything about TLS to a specific section; - state that MUST TLS unless `loopback`; - further quotes of TLS are expected to be non-normative. Feedback welcome, R
- [OAUTH-WG] OAuth 2.1 and TLS Roberto Polli