IETF Logo Mail Archive

Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Barry Leiba <barryleiba@computer.org> Thu, 17 November 2011 11:18 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF5221F9B29 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:18:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.844
X-Spam-Level:
X-Spam-Status: No, score=-102.844 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KI64r6CooM3x for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:18:40 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id F0E0421F9B11 for <oauth@ietf.org>; Thu, 17 Nov 2011 03:18:39 -0800 (PST)
Received: by ywt34 with SMTP id 34so1055221ywt.31 for <oauth@ietf.org>; Thu, 17 Nov 2011 03:18:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=S8T16SkRFIki9thpAdRow1zCrnukPT7h3LQz5z9pQhY=; b=EGm1zHIqrwBFnem4yrwVNXtR3QBw+viuOzyTMz25cqmr/it/24AfgoueODbX2naN4w yzYL96Rv3qAlMotOZZxztPclgKQ3HnTXd7MbudXxd0hfNsQeYQFwuus25wKY6k9GNyJG fFNJh3rN+tN61TTdqmvqvuUdjCIosag+9VNuw=
MIME-Version: 1.0
Received: by 10.236.153.101 with SMTP id e65mr8089283yhk.59.1321528719318; Thu, 17 Nov 2011 03:18:39 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.236.95.37 with HTTP; Thu, 17 Nov 2011 03:18:39 -0800 (PST)
In-Reply-To: <4EC4EAE6.1020106@cdatazone.org>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <4EC4EAE6.1020106@cdatazone.org>
Date: Thu, 17 Nov 2011 19:18:39 +0800
X-Google-Sender-Auth: s7boQ1wn2Rb_NJ8Ap5ixFzZNpxU
Message-ID: <CALaySJKTS6D=+JL55QX2aHdUoamgruT0EM0MezVTdVvQQemruw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Rob Richards <rrichards@cdatazone.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 11:18:40 -0000

> Please refer to this thread about the problem with requiring anything more
> than TLS 1.0
> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
>
> You will end up with a spec that virtually no one can implement and be in
> conformance with. I still have yet to find an implementation out in the wild
> that supports anything more than TLS 1.0

Are you saying that there's some difficulty in *implementing* TLS 1.2
?  If so, please explain what that difficulty is.

If you're saying that TLS 1.2 is not widely deployed, and so it's hard
to find two implementations that will actually *use* TLS 1.2 to talk
to each other, I have no argument with you.  But that's not the point.
 If everyone implements only TLS 1.0, we'll never move forward.  And
when TLS 1.2 (or something later) does get rolled out, OAuth
implementations will be left behind.  If everyone implements 1.2 AND
1.0, then we'll be ready when things move.

I'm pretty sure there'll be trouble getting through the IESG with a
MUST for something two versions old, and a SHOULD for the current
version.

Barry

v2.30.2 | Report a Bug | By Email | System Status