Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 02 April 2015 18:42 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7251F1A19F7; Thu, 2 Apr 2015 11:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2A4fv_CidIm; Thu, 2 Apr 2015 11:42:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 781A61A0404; Thu, 2 Apr 2015 11:42:36 -0700 (PDT)
Received: from [192.168.131.146] ([80.92.114.249]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MGSDw-1YiC1z3zDk-00DECL; Thu, 02 Apr 2015 20:42:04 +0200
Message-ID: <551D8D78.4000504@gmx.net>
Date: Thu, 02 Apr 2015 20:42:00 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Radia Perlman <radiaperlman@gmail.com>, Ben Laurie <benl@google.com>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <551C0005.2000309@gmx.net> <alpine.GSO.1.10.1504011209550.22210@multics.mit.edu> <551C1970.4050600@cs.tcd.ie> <551C2568.3050301@gmx.net> <CAHbuEH65fyKWZpVRxst=-6arapic4vK-K3A38EuLv0f70gDDCg@mail.gmail.com> <CABrd9STN4sp3GYwXT20CsDJQ4DJMrN-zajjxypkZWSpEUi4BTA@mail.gmail.com> <CAFOuuo6o-cXjc4qb8N0UMEfvb3jT8ERfETVQCVag=5JjyBx-UQ@mail.gmail.com>
In-Reply-To: <CAFOuuo6o-cXjc4qb8N0UMEfvb3jT8ERfETVQCVag=5JjyBx-UQ@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UorQWkkVTJNwMrb2qJ67TQhuh5W1I68Bq"
X-Provags-ID: V03:K0:/gBhZLpr9XqVeFJAr6osWxISOkCdHU9UVp5m5OvLyIWtrjApoMf PgC+UhRMAs8YDthecVsVt7Y9TLXX+Cj6utSlIVF13IZJWH6vMcCqidHlOfddengYD7WEDMO Wo52CD7l2EVHTC9o3/jaqYDHHM1FfBZGPPxurupSCPhkjko+PQYiWYxaq2Se/N+Qx0oQ9IA KKEmx5WIxVeQEtiVbwRDA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/E0u_X06A7f0vNVDIzAnAoKMtjAw>
Cc: draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 18:42:38 -0000
Radia, this is what we wrote in RFC 6749: ---- 1.6. TLS Version Whenever Transport Layer Security (TLS) is used by this specification, the appropriate version (or versions) of TLS will vary over time, based on the widespread deployment and known security vulnerabilities. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has a very limited deployment base and might not be readily available for implementation. TLS version 1.0 [RFC2246] is the most widely deployed version and will provide the broadest interoperability. ---- We then moved on to something shorter in RFC 7009: ---- The authorization server MUST use Transport Layer Security (TLS) [RFC5246] in a version compliant with [RFC6749], Section 1.6. Implementations MAY also support additional transport-layer security mechanisms that meet their security requirements. ---- and now we are at: ---- the server MUST support TLS 1.2 RFC 5246 [RFC5246] and MAY support additional transport-layer mechanisms meeting its security requirements. ---- I personally don't care too much what we are saying since folks in the OAuth group would like to say the right thing anyway: we want to use the most recent version of TLS. Unfortunately that is not specific enough. If the trick Stephen suggested with referencing BCP numbers (instead of RFCs) helps then I would go for that. On 04/02/2015 07:25 PM, Radia Perlman wrote: > Can't it just say "MUST support version 1.2 or later version of TLS"? Ciao Hannes
- [secdir] Security review of draft-ietf-oauth-dyn-… Ben Laurie
- [secdir] MTI ... Re: Security review of draft-iet… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Benjamin Kaduk
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] MTI ... Re: Security review of draft… stephen.farrell
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Radia Perlman
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie