IETF Logo Mail Archive

Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 01 April 2015 17:18 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9194E1A006B; Wed, 1 Apr 2015 10:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ft6s-mVsbji; Wed, 1 Apr 2015 10:18:47 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D2341A009C; Wed, 1 Apr 2015 10:18:46 -0700 (PDT)
Received: by lbdc10 with SMTP id c10so41283179lbd.2; Wed, 01 Apr 2015 10:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uYpE7IyT13OXdOfwR8T0eOOiwlbu8PN2dwakxvl/wv8=; b=cJ3FWFqiO2cQBA2d0pDQD/2SLtGQSnQL3xOTatfpzb01jl2LhT72WdfPd6Xvivk/hV mQp+/vcFcp5ZWV9wxyMHg094ae8r/WJk9XQ0lwFcY+YpHHk7gbqTYaMjvyGK58j+Mw7Y eJPGsYwMt8gA4egl7SKQDg9LUmF01xUOicMd0uPGIFT053y0iECTLHv4x4spTKu36bT/ J4Lea+3vbZgs5l1D5ONAo8rSt3CA13Li2qo5+6QHGI1LTSNlGktKFppSDZUVjE91j5XC +OziSE8YSKi/G7D6zA5COeFA/s1nH1rei56ZbfJPeWQB3gg8xqZJiVPvsNWlr6kY//MG zVcw==
MIME-Version: 1.0
X-Received: by 10.152.8.69 with SMTP id p5mr32669870laa.113.1427908724930; Wed, 01 Apr 2015 10:18:44 -0700 (PDT)
Received: by 10.112.167.101 with HTTP; Wed, 1 Apr 2015 10:18:44 -0700 (PDT)
In-Reply-To: <551C2568.3050301@gmx.net>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <551C0005.2000309@gmx.net> <alpine.GSO.1.10.1504011209550.22210@multics.mit.edu> <551C1970.4050600@cs.tcd.ie> <551C2568.3050301@gmx.net>
Date: Wed, 01 Apr 2015 13:18:44 -0400
Message-ID: <CAHbuEH65fyKWZpVRxst=-6arapic4vK-K3A38EuLv0f70gDDCg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a11c34d3a523eb40512ace8c7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/JziyKfjNXMaUH7mqGMYu6iUGPwc>
Cc: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org
Subject: Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 17:18:48 -0000

On Wed, Apr 1, 2015 at 1:05 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net
> wrote:

> Ben, Stephen,
>
> I believe that this would be a good idea although it does not really
> solve the underlying problem. Why? If we put a reference to the UTA BCP
> in there then we end up in the need to update our documents in the not
> too distance future to point to a new UTA BCP that talks about TLS 1.3.
>

I agree with Hannes here.  Having MTI for TLS 1.2 is fine for right now, it
must be supported, but doesn't mean other versions can't be supported once
libraries are available and it makes sense.  We can't hold this up because
TLS 1.3 is coming soon and would prefer that folks know they should be
implementing at least TLS 1.2.  A reference to the TLS BCP with this is
fine as well.  But this is one of the many OAuth drafts and not really the
place to call out specific requirements, like which of the recommended
cipher suites int eh BCP should be implemented for Oauth (I don't think
that has been done as it has for other protocols), but is not the right
place to do too much.

The web page/registry idea is a good one, so we can state current
recommendations.

Thanks,
Kathleen

>
> Ciao
> Hannes
>
>
> On 04/01/2015 06:14 PM, Stephen Farrell wrote:
> >
> >
> > On 01/04/15 17:11, Benjamin Kaduk wrote:
> >> On Wed, 1 Apr 2015, Hannes Tschofenig wrote:
> >>
> >>> I personally would like to replace these types of recommendations with
> >>> references to a page on the IETF website that talks about the most
> >>> recent TLS & ciphersuite recommendations. I am aware that this might
> >>> create problems with claiming interoperability with a specific RFC...
> >>
> >> Why not a BCP document for TLS usage?  It seems to be a charter item for
> >> the uta WG already...
> >
> > Well, initially OAuth wanted some specifics that matched the
> > deployments then seen, but yeah, I think the world may have
> > moved on sufficiently that a simple reference to the UTA BCP
> > (which is in the RFC editor queue) [1] might be fine. I'd
> > say it's defo worth asking the wg if they'd have a problem
> > with that now.
> >
> > S.
> >
> > [1] https://www.rfc-editor.org/queue2.html#draft-ietf-uta-tls-bcp
> >
> >
> >>
> >> -Ben
> >>
>
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email