Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Rob Richards <rrichards@cdatazone.org> Thu, 01 December 2011 20:09 UTC

Return-Path: <rrichards@cdatazone.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B26AC21F902C for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 12:09:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oS6fhIWa+Q6r for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 12:09:51 -0800 (PST)
Received: from smtp2go.com (smtp2go.com [207.58.142.213]) by ietfa.amsl.com (Postfix) with ESMTP id 97B5621F902D for <oauth@ietf.org>; Thu, 1 Dec 2011 12:09:50 -0800 (PST)
Message-ID: <4ED7DF0C.4000701@cdatazone.org>
Date: Thu, 01 Dec 2011 15:09:48 -0500
From: Rob Richards <rrichards@cdatazone.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com>
In-Reply-To: <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2011 20:09:53 -0000

On 11/28/11 10:39 PM, Barry Leiba wrote:
>> The OAuth base doc refers in two places to TLS versions (with the same
>> text in both places:
>>
>> OLD
>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
>> support additional transport-layer mechanisms meeting its security
>> requirements.
>>
>> In both the shepherd review and the AD review, this was called into question:
>> 1. MUST for an old version and SHOULD for the current version seems wrong.
>> 2. Having specific versions required locks us into those versions (for
>> example, all implementations will have to support TLS 1.0, even long
>> after it becomes obsolete, unless we rev the spec.
> The comments I've gotten on this show a clear consensus against the
> change I suggest, and against any attempt to require a version of TLS
> other than 1.0.  I still, though, am concerned that locking this spec
> into TLS 1.0 is limiting.  So let me propose an alternative wording,
> which again tries to make the version(s) non-normative, while making
> it clear which version(s) need to be implemented to get
> interoperability:
>
> NEW
> --------------------------------------------
> The authorization server MUST implement TLS.  Which version(s)
> ought to be implemented will vary over time, and depend on
> the widespread deployment and known security vulnerabilities at
> the time of implementation.  At the time of this writing, TLS version
> 1.2 [RFC5246] is the most recent version, but has very limited
> actual deployment, and might not be readily available in
> implementation toolkits.  TLS version 1.0 [RFC2246] is the
> most widely deployed version, and will give the broadest
> interoperability.
>
> Servers MAY also implement additional transport-layer
> mechanisms that meet their security requirements.
> --------------------------------------------
>
> Comments on this version?
>
> Barry
>

Text is neutral enough for me as it's not mandating anything that isn't 
readily available. Only comment is whether or not there is a need to 
even talk about the specific versions or if just the following is enough:

The authorization server MUST implement TLS. Which version(s) ought to 
be implemented will vary over time, and depend on the widespread 
deployment and known security vulnerabilities at the time of implementation.

Servers MAY also implement additional transport-layer mechanisms that 
meet their security requirements.

Rob