[OAUTH-WG] TLS version requirements in OAuth 2.0 base

Barry Leiba <barryleiba@computer.org> Thu, 17 November 2011 08:41 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3ECA221F9A2F for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:41:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.842
X-Spam-Status: No, score=-102.842 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id PVQ7bGcIhp3b for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:41:29 -0800 (PST)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 812F421F9A2C for <oauth@ietf.org>; Thu, 17 Nov 2011 00:41:29 -0800 (PST)
Received: by eyg24 with SMTP id 24so1941843eyg.31 for <oauth@ietf.org>; Thu, 17 Nov 2011 00:41:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=vBt+YmUGsyrCbTU7Jqp5bCnQii8TR/Q7h0IoQa7nKmI=; b=IiJjnKjxQI7Wv0SlLS9+chF3V6pO2tNBE/zJ4g0oVLC3mKihVmvtNX1eXzPSzVi+s8 CTQ+wgMbucdqlWHt5rUZHJ8sipIQFJnIF4pELK128Xa5ogLiss2qNCvAYS6ZmYeqhYAf 7MKylmC5juogn/EcJrujxaXu+5SbKHDARQ/00=
MIME-Version: 1.0
Received: by with SMTP id dp9mr5215291qcb.134.1321519286803; Thu, 17 Nov 2011 00:41:26 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by with HTTP; Thu, 17 Nov 2011 00:41:26 -0800 (PST)
Date: Thu, 17 Nov 2011 16:41:26 +0800
X-Google-Sender-Auth: 25oS8yaNcgewBmdDCUAlu61iCUg
Message-ID: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 08:41:30 -0000

The OAuth base doc refers in two places to TLS versions (with the same
text in both places:

The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport-layer mechanisms meeting its security

In both the shepherd review and the AD review, this was called into question:
1. MUST for an old version and SHOULD for the current version seems wrong.
2. Having specific versions required locks us into those versions (for
example, all implementations will have to support TLS 1.0, even long
after it becomes obsolete, unless we rev the spec.

I have suggested the following change, as doc shepherd:

The authorization server MUST implement the current version of TLS
(1.2 [RFC5246] at the time of this writing), and SHOULD implement the
most widely deployed previous version (1.0 [RFC2246] at the of this
writing), unless that version is deprecated due to security
vulnerabilities.  It MAY also implement additional transport-layer
mechanisms that meet its security requirements.

I believe this also gives us the effect we want, without the two
problems above.  There was consensus in the meeting for accepting this
text.  Confirming on the list:

Please respond to this thread if you *object* to this change, and say
why.  Please respond by 2 Dec 2011.

Barry, as document shepherd