Re: [OAUTH-WG] TLS question from token revocation draft iesg evaluation
Justin Richer <jricher@mitre.org> Tue, 04 June 2013 17:49 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 007EE21F992C for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 10:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.086
X-Spam-Level:
X-Spam-Status: No, score=-6.086 tagged_above=-999 required=5 tests=[AWL=0.513, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6Wz3l7sq1yv for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 10:49:20 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 3745321F9D32 for <oauth@ietf.org>; Tue, 4 Jun 2013 09:53:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D16F61F0802; Tue, 4 Jun 2013 12:53:28 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id BF8451F078B; Tue, 4 Jun 2013 12:53:28 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 4 Jun 2013 12:53:28 -0400
Message-ID: <51AE1B5A.1010904@mitre.org>
Date: Tue, 04 Jun 2013 12:52:42 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Donald F Coffin <donald.coffin@reminetworks.com>
References: <51ABA293.4070700@cs.tcd.ie> <003e01ce6090$4d664c30$e832e490$@reminetworks.com>
In-Reply-To: <003e01ce6090$4d664c30$e832e490$@reminetworks.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] TLS question from token revocation draft iesg evaluation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 17:49:27 -0000
This question will come up on other drafts as well, like Dynamic Registration and Introspection that I've been working on, so we should really decide what the language is going to be in order to be consistent. Would this be also filed as an errata or something on RFC6749/6750? (Honestly not sure what/if the process is.) I will say from the average app developer's perspective, though, that most people are just going to look to see if there's an "https" in the URL and call it done, so I'm personally not sure what a practical difference it will make how we specify things here. The people that care about TLS versions will already know to use 1.2 or whatever's the latest and greatest, and everyone else isn't going to check the version. However, I made this same argument back when this first came up in OAuth core and we still ended up having the TLS version language in there in the end. -- Justin On 06/03/2013 03:26 PM, Donald F Coffin wrote: > Stephen, > > I feel it should be MANDATORY to implement TLS1.2, especially since NIST is > in the process of deprecating TLS1.0 as a supported version. > > Best regards, > Don > Donald F. Coffin > Founder/CTO > > REMI Networks > 22751 El Prado Suite 6216 > Rancho Santa Margarita, CA 92688-3836 > > Phone: (949) 636-8571 > Email: donald.coffin@reminetworks.com > > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Sunday, June 02, 2013 12:53 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] TLS question from token revocation draft iesg evaluation > > > Hiya, > > This draft has a couple of minor changes needed as a result of IESG review > (see [1]) but one question came up that I wanted to bring back to the WG to > see what you think. Any good answer should be fine btw, this isn't a case of > the insisting on stuff. > > The question is whether the WG think that the situation related to the > mandatory-to-implement TLS version has changed since that was last discussed > a couple of years ago. There have been changes in the implementation status > of TLS1.2 since then, mainly driven by the discovery of weaknesses with some > deployment choices for TLS1.0. > > So - should we stick with the TLS1.0 as MTI and TLS1.2 as a SHOULD implement > or can we now safely bump up to > TLS1.2 as MTI? > > And since its been a source of confusion here before, we're discussing > what's mandatory to *implement* not what's mandatory to *use*. > > Thanks, > S. > > PS: the other changes are mechanical so don't need to take up WG time but > feel free to comment to the list, chairs, authors, me, ... whatever. > > [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ballot/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] TLS question from token revocation dra… Stephen Farrell
- Re: [OAUTH-WG] TLS question from token revocation… Donald F Coffin
- Re: [OAUTH-WG] TLS question from token revocation… Justin Richer