Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 20 January 2012 23:02 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94C3621F869D for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:02:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G68cccs0A7Qn for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:02:30 -0800 (PST)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id B28E421F8577 for <oauth@ietf.org>; Fri, 20 Jan 2012 15:02:28 -0800 (PST)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q0KN2PMA004876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 20 Jan 2012 17:02:26 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q0KN2PgF001532 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 20 Jan 2012 17:02:25 -0600
Received: from [135.244.1.84] (faynberg.lra.lucent.com [135.244.1.84]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q0KN2Otd023658; Fri, 20 Jan 2012 17:02:25 -0600 (CST)
Message-ID: <4F19F280.2030805@alcatel-lucent.com>
Date: Fri, 20 Jan 2012 18:02:24 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com> <CAC4RtVBHwtuo6+-mZLkH-1VNs0DM2WXrVGGjY08AR05UocKM_Q@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AAB964D3@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CALaySJKS+bnpS=EuaO3aV2ip1v7XifStsj78c89U-tC2Um9PiQ@mail.gmail.com>
In-Reply-To: <CALaySJKS+bnpS=EuaO3aV2ip1v7XifStsj78c89U-tC2Um9PiQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 23:02:35 -0000

Since there is so much agreement and peace in the air,  I would through 
a little editorial query:

Would it not be better to  say "the appropriate version" instead of this 
somewaht lawyerish "version (or versions)"?

Igor

On 1/20/2012 3:44 PM, Barry Leiba wrote:
>> Added to section 1:
>>
>>    TLS Version
>>
>>           Whenever TLS is required by this specification, the appropriate version (or versions) of
>>           TLS will vary over time, based on the widespread deployment and known security
>>           vulnerabilities. At the time of this writing, TLS version 1.2<xref target='RFC5246' />
>>           is the most recent version, but has a very limited deployment base and might not be
>>           readily available for implementation. TLS version 1.0<xref target='RFC2246' />  is the
>>           most widely deployed version, and will provide the broadest interoperability.
>>
>>           Implementations MAY also support additional transport-layer mechanisms that meet their
>>           security requirements.
>>
>> And referenced this section when TLS requirements were previously defined.
> That seems like a very sensible way to organize it; thanks.
>
> Barry
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth