IETF Logo Mail Archive

Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Anthony Nadalin <tonynad@microsoft.com> Thu, 17 November 2011 11:15 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B0921F9B81 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:15:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.392
X-Spam-Level:
X-Spam-Status: No, score=-7.392 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpfdCugVDa1G for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 03:15:44 -0800 (PST)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 8505121F9B78 for <oauth@ietf.org>; Thu, 17 Nov 2011 03:15:44 -0800 (PST)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 17 Nov 2011 03:15:44 -0800
Received: from VA3EHSOBE001.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.1.355.3; Thu, 17 Nov 2011 03:15:43 -0800
Received: from mail63-va3-R.bigfish.com (10.7.14.250) by VA3EHSOBE001.bigfish.com (10.7.40.21) with Microsoft SMTP Server id 14.1.225.22; Thu, 17 Nov 2011 11:15:08 +0000
Received: from mail63-va3 (localhost [127.0.0.1]) by mail63-va3-R.bigfish.com (Postfix) with ESMTP id AE6D2160455 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 17 Nov 2011 11:20:04 +0000 (UTC)
X-SpamScore: -37
X-BigFish: PS-37(zzbb2dK9371K542M1432N98dKzz1202h1082kzz1033IL8275dhz31h2a8h668h839h944h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:157.55.157.141; KIP:(null); UIP:(null); (null); H:SN2PRD0304HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail63-va3: transitioning domain of microsoft.com does not designate 157.55.157.141 as permitted sender) client-ip=157.55.157.141; envelope-from=tonynad@microsoft.com; helo=SN2PRD0304HT002.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail63-va3 (localhost.localdomain [127.0.0.1]) by mail63-va3 (MessageSwitch) id 1321528804476021_17273; Thu, 17 Nov 2011 11:20:04 +0000 (UTC)
Received: from VA3EHSMHS027.bigfish.com (unknown [10.7.14.244]) by mail63-va3.bigfish.com (Postfix) with ESMTP id 6B22080042; Thu, 17 Nov 2011 11:20:04 +0000 (UTC)
Received: from SN2PRD0304HT002.namprd03.prod.outlook.com (157.55.157.141) by VA3EHSMHS027.bigfish.com (10.7.99.37) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 17 Nov 2011 11:15:06 +0000
Received: from SN2PRD0304MB235.namprd03.prod.outlook.com ([169.254.10.245]) by SN2PRD0304HT002.namprd03.prod.outlook.com ([10.111.196.121]) with mapi id 14.16.0082.000; Thu, 17 Nov 2011 11:15:38 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Rob Richards <rrichards@cdatazone.org>, Barry Leiba <barryleiba@computer.org>
Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Thread-Index: AQHMpQS7Auve7+zH8EmS+jD2gTHFwJWw6BoAgAABP/A=
Date: Thu, 17 Nov 2011 11:15:38 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E73A8BFC6A@SN2PRD0304MB235.namprd03.prod.outlook.com>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <4EC4EAE6.1020106@cdatazone.org>
In-Reply-To: <4EC4EAE6.1020106@cdatazone.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.196.25]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0304HT002.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CDATAZONE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 11:15:45 -0000

I would agree as we ran into this from some of deployment we had. What is the driving factor here for 1.2 over 1.0?

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Rob Richards
Sent: Thursday, November 17, 2011 3:07 AM
To: Barry Leiba
Cc: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Please refer to this thread about the problem with requiring anything more than TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html

You will end up with a spec that virtually no one can implement and be in conformance with. I still have yet to find an implementation out in the wild that supports anything more than TLS 1.0

Rob

On 11/17/11 3:41 AM, Barry Leiba wrote:
> The OAuth base doc refers in two places to TLS versions (with the same 
> text in both places:
>
> OLD
> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD 
> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY 
> support additional transport-layer mechanisms meeting its security 
> requirements.
>
> In both the shepherd review and the AD review, this was called into question:
> 1. MUST for an old version and SHOULD for the current version seems wrong.
> 2. Having specific versions required locks us into those versions (for 
> example, all implementations will have to support TLS 1.0, even long 
> after it becomes obsolete, unless we rev the spec.
>
> I have suggested the following change, as doc shepherd:
>
> NEW
> The authorization server MUST implement the current version of TLS
> (1.2 [RFC5246] at the time of this writing), and SHOULD implement the 
> most widely deployed previous version (1.0 [RFC2246] at the of this 
> writing), unless that version is deprecated due to security 
> vulnerabilities.  It MAY also implement additional transport-layer 
> mechanisms that meet its security requirements.
>
> I believe this also gives us the effect we want, without the two 
> problems above.  There was consensus in the meeting for accepting this 
> text.  Confirming on the list:
>
> Please respond to this thread if you *object* to this change, and say 
> why.  Please respond by 2 Dec 2011.
>
> Barry, as document shepherd
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.30.2 | Report a Bug | By Email | System Status