Re: [OAUTH-WG] TLS question from token revocation draft iesg evaluation
"Donald F Coffin" <donald.coffin@reminetworks.com> Mon, 03 June 2013 19:34 UTC
Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A629121E8053 for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 12:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.757
X-Spam-Level:
X-Spam-Status: No, score=-0.757 tagged_above=-999 required=5 tests=[AWL=-0.906, BAYES_40=-0.185, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxrecngYSCqO for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 12:34:18 -0700 (PDT)
Received: from oproxy13-pub.unifiedlayer.com (oproxy13-pub.unifiedlayer.com [69.89.16.30]) by ietfa.amsl.com (Postfix) with SMTP id E56F421E805A for <oauth@ietf.org>; Mon, 3 Jun 2013 12:27:46 -0700 (PDT)
Received: (qmail 29121 invoked by uid 0); 3 Jun 2013 19:27:24 -0000
Received: from unknown (HELO host125.hostmonster.com) (74.220.207.125) by oproxy13.unifiedlayer.com with SMTP; 3 Jun 2013 19:27:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:To:From; bh=YJkvwF0lIaf/8bzfd+2VV1otewMGWndbkatoWPKyGPs=; b=zZQzoa7Z26f+5ZfI32w5vxOAz9AqXUTgHr94hD0ehnVuXzlG3GE6qrslAVv8TYk34mjwIpPk5oWPrEbvL8x+q4Dg/MysjMUX5xoV2YjU12g3hR5iT/jTl4Hu1A14+e5a;
Received: from [68.4.207.246] (port=2063 helo=HPPavilionElite) by host125.hostmonster.com with esmtpa (Exim 4.80) (envelope-from <donald.coffin@reminetworks.com>) id 1UjaPc-00053h-00; Mon, 03 Jun 2013 13:27:24 -0600
From: Donald F Coffin <donald.coffin@reminetworks.com>
To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, oauth@ietf.org
References: <51ABA293.4070700@cs.tcd.ie>
In-Reply-To: <51ABA293.4070700@cs.tcd.ie>
Date: Mon, 03 Jun 2013 12:26:52 -0700
Message-ID: <003e01ce6090$4d664c30$e832e490$@reminetworks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMFzv237iPGHSrVuQ3atQOT61aay5a1gj+A
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth 68.4.207.246 authed with donald.coffin@reminetworks.com}
Subject: Re: [OAUTH-WG] TLS question from token revocation draft iesg evaluation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 19:34:32 -0000
Stephen, I feel it should be MANDATORY to implement TLS1.2, especially since NIST is in the process of deprecating TLS1.0 as a supported version. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Sunday, June 02, 2013 12:53 PM To: oauth@ietf.org Subject: [OAUTH-WG] TLS question from token revocation draft iesg evaluation Hiya, This draft has a couple of minor changes needed as a result of IESG review (see [1]) but one question came up that I wanted to bring back to the WG to see what you think. Any good answer should be fine btw, this isn't a case of the insisting on stuff. The question is whether the WG think that the situation related to the mandatory-to-implement TLS version has changed since that was last discussed a couple of years ago. There have been changes in the implementation status of TLS1.2 since then, mainly driven by the discovery of weaknesses with some deployment choices for TLS1.0. So - should we stick with the TLS1.0 as MTI and TLS1.2 as a SHOULD implement or can we now safely bump up to TLS1.2 as MTI? And since its been a source of confusion here before, we're discussing what's mandatory to *implement* not what's mandatory to *use*. Thanks, S. PS: the other changes are mechanical so don't need to take up WG time but feel free to comment to the list, chairs, authors, me, ... whatever. [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ballot/
- [OAUTH-WG] TLS question from token revocation dra… Stephen Farrell
- Re: [OAUTH-WG] TLS question from token revocation… Donald F Coffin
- Re: [OAUTH-WG] TLS question from token revocation… Justin Richer