[OAUTH-WG] TLS version requirements in OAuth 2.0 base
Barry Leiba <barryleiba@computer.org> Thu, 17 November 2011 08:41 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ECA221F9A2F for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:41:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.842
X-Spam-Level:
X-Spam-Status: No, score=-102.842 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVQ7bGcIhp3b for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 00:41:29 -0800 (PST)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 812F421F9A2C for <oauth@ietf.org>; Thu, 17 Nov 2011 00:41:29 -0800 (PST)
Received: by eyg24 with SMTP id 24so1941843eyg.31 for <oauth@ietf.org>; Thu, 17 Nov 2011 00:41:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=vBt+YmUGsyrCbTU7Jqp5bCnQii8TR/Q7h0IoQa7nKmI=; b=IiJjnKjxQI7Wv0SlLS9+chF3V6pO2tNBE/zJ4g0oVLC3mKihVmvtNX1eXzPSzVi+s8 CTQ+wgMbucdqlWHt5rUZHJ8sipIQFJnIF4pELK128Xa5ogLiss2qNCvAYS6ZmYeqhYAf 7MKylmC5juogn/EcJrujxaXu+5SbKHDARQ/00=
MIME-Version: 1.0
Received: by 10.229.192.73 with SMTP id dp9mr5215291qcb.134.1321519286803; Thu, 17 Nov 2011 00:41:26 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.229.184.20 with HTTP; Thu, 17 Nov 2011 00:41:26 -0800 (PST)
Date: Thu, 17 Nov 2011 16:41:26 +0800
X-Google-Sender-Auth: 25oS8yaNcgewBmdDCUAlu61iCUg
Message-ID: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 08:41:30 -0000
The OAuth base doc refers in two places to TLS versions (with the same text in both places: OLD The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD support TLS 1.2 ([RFC5246]) and its future replacements, and MAY support additional transport-layer mechanisms meeting its security requirements. In both the shepherd review and the AD review, this was called into question: 1. MUST for an old version and SHOULD for the current version seems wrong. 2. Having specific versions required locks us into those versions (for example, all implementations will have to support TLS 1.0, even long after it becomes obsolete, unless we rev the spec. I have suggested the following change, as doc shepherd: NEW The authorization server MUST implement the current version of TLS (1.2 [RFC5246] at the time of this writing), and SHOULD implement the most widely deployed previous version (1.0 [RFC2246] at the of this writing), unless that version is deprecated due to security vulnerabilities. It MAY also implement additional transport-layer mechanisms that meet its security requirements. I believe this also gives us the effect we want, without the two problems above. There was consensus in the meeting for accepting this text. Confirming on the list: Please respond to this thread if you *object* to this change, and say why. Please respond by 2 Dec 2011. Barry, as document shepherd
- [OAUTH-WG] TLS version requirements in OAuth 2.0 … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Anthony Nadalin
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Phil Hunt
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Peter Saint-Andre
- Re: [OAUTH-WG] TLS version requirements in OAuth … Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] TLS version requirements in OAuth … Mike Jones
- Re: [OAUTH-WG] TLS version requirements in OAuth … Stephen Farrell
- Re: [OAUTH-WG] TLS version requirements in OAuth … Rob Richards
- Re: [OAUTH-WG] TLS version requirements in OAuth … William Mills
- Re: [OAUTH-WG] TLS version requirements in OAuth … Justin Richer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Eran Hammer
- Re: [OAUTH-WG] TLS version requirements in OAuth … Barry Leiba
- Re: [OAUTH-WG] TLS version requirements in OAuth … Igor Faynberg