IETF Logo Mail Archive

Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 02 April 2015 18:42 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7251F1A19F7; Thu, 2 Apr 2015 11:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2A4fv_CidIm; Thu, 2 Apr 2015 11:42:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 781A61A0404; Thu, 2 Apr 2015 11:42:36 -0700 (PDT)
Received: from [192.168.131.146] ([80.92.114.249]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MGSDw-1YiC1z3zDk-00DECL; Thu, 02 Apr 2015 20:42:04 +0200
Message-ID: <551D8D78.4000504@gmx.net>
Date: Thu, 02 Apr 2015 20:42:00 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Radia Perlman <radiaperlman@gmail.com>, Ben Laurie <benl@google.com>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <551C0005.2000309@gmx.net> <alpine.GSO.1.10.1504011209550.22210@multics.mit.edu> <551C1970.4050600@cs.tcd.ie> <551C2568.3050301@gmx.net> <CAHbuEH65fyKWZpVRxst=-6arapic4vK-K3A38EuLv0f70gDDCg@mail.gmail.com> <CABrd9STN4sp3GYwXT20CsDJQ4DJMrN-zajjxypkZWSpEUi4BTA@mail.gmail.com> <CAFOuuo6o-cXjc4qb8N0UMEfvb3jT8ERfETVQCVag=5JjyBx-UQ@mail.gmail.com>
In-Reply-To: <CAFOuuo6o-cXjc4qb8N0UMEfvb3jT8ERfETVQCVag=5JjyBx-UQ@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UorQWkkVTJNwMrb2qJ67TQhuh5W1I68Bq"
X-Provags-ID: V03:K0:/gBhZLpr9XqVeFJAr6osWxISOkCdHU9UVp5m5OvLyIWtrjApoMf PgC+UhRMAs8YDthecVsVt7Y9TLXX+Cj6utSlIVF13IZJWH6vMcCqidHlOfddengYD7WEDMO Wo52CD7l2EVHTC9o3/jaqYDHHM1FfBZGPPxurupSCPhkjko+PQYiWYxaq2Se/N+Qx0oQ9IA KKEmx5WIxVeQEtiVbwRDA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/E0u_X06A7f0vNVDIzAnAoKMtjAw>
Cc: draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 18:42:38 -0000

Radia,

this is what we wrote in RFC 6749:

----


1.6.  TLS Version

   Whenever Transport Layer Security (TLS) is used by this
   specification, the appropriate version (or versions) of TLS will vary
   over time, based on the widespread deployment and known security
   vulnerabilities.  At the time of this writing, TLS version 1.2
   [RFC5246] is the most recent version, but has a very limited
   deployment base and might not be readily available for
   implementation.  TLS version 1.0 [RFC2246] is the most widely
   deployed version and will provide the broadest interoperability.

----

We then moved on to something shorter in RFC 7009:

----

The authorization
   server MUST use Transport Layer Security (TLS) [RFC5246] in a version
   compliant with [RFC6749], Section 1.6.  Implementations MAY also
   support additional transport-layer security mechanisms that meet
   their security requirements.

----

and now we are at:


----

   the server MUST support TLS 1.2 RFC 5246 [RFC5246] and MAY
   support additional transport-layer mechanisms meeting its security
   requirements.

----

I personally don't care too much what we are saying since folks in the
OAuth group would like to say the right thing anyway: we want to use the
most recent version of TLS. Unfortunately that is not specific enough.

If the trick Stephen suggested with referencing BCP numbers (instead of
RFCs) helps then I would go for that.

On 04/02/2015 07:25 PM, Radia Perlman wrote:
> Can't it just say "MUST support version 1.2 or later version of TLS"?

Ciao
Hannes

v2.23.0 | Report a Bug | By Email