[secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 01 April 2015 14:26 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB111AC3CD; Wed, 1 Apr 2015 07:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzfouW69qHsj; Wed, 1 Apr 2015 07:26:41 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8C041AC3D4; Wed, 1 Apr 2015 07:26:32 -0700 (PDT)
Received: from [192.168.131.146] ([80.92.114.249]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MRoyH-1Z1txr1zlR-00SwFR; Wed, 01 Apr 2015 16:26:18 +0200
Message-ID: <551C0005.2000309@gmx.net>
Date: Wed, 01 Apr 2015 16:26:13 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com>
In-Reply-To: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="rCBg1fUnkvfi2P446NeSGWEmr8ctBoutR"
X-Provags-ID: V03:K0:YnlNJqNMmpBRCCgL6WPvF3ZuDLL+hDrgrLGHOHGGU+9IQskkbDU 6cBhY3iaHG1ctUlcGMPLI4iwWOb4BhuxN5CH/hgg1PiyT+d/W79xOpfnT8cx+4z4G5HYLn2 IIkdUcR3H91ivNCFYL0F/55N2897moOeMxz18ITTOW7WSsRThxfO0bQvzLWT3T9ZDex/e7P LeWASNEEHQbHTFhCk++Rg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/an-Q4n3IbxPVa11ycEHddpQ58fs>
Subject: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 14:26:43 -0000
Hi Ben, I would like to respond to this issue: On 04/01/2015 02:29 PM, Ben Laurie wrote: > Issue: "The server MUST support TLS 1.2" - it seems unwise to mandate > a particular version of TLS - work on TLS 1.3 is already under way, > and TLS 1.2 is not (it seems) that far off deprecation! We had a lengthy debate in OAuth around the issue of mandatory-to-implement security functionality. Earlier we just pointed to the use of TLS but then the question arises what version of TLS and what ciphersuites to use. Then, we came up with this text for all of our documents but it creates the problem you outlined. In essence, all our documents will point to an old TLS version in approx. 1 year from now when TLS 1.3 is finalized. I believe this is a broader issue that needs to be solved in the security area and not just with OAuth, namely should specifications contain MTI security functionality when we know already at the time of writing that they will be outdated within a reasonable amount of time? In some sense, I see a bit of overlap with the crypto agility debate and the attempt to reduce the overhead for standardization in introducing new cryptographic algorithms. I personally would like to replace these types of recommendations with references to a page on the IETF website that talks about the most recent TLS & ciphersuite recommendations. I am aware that this might create problems with claiming interoperability with a specific RFC... Help appreciated. Ciao Hannes
- [secdir] Security review of draft-ietf-oauth-dyn-… Ben Laurie
- [secdir] MTI ... Re: Security review of draft-iet… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Benjamin Kaduk
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] MTI ... Re: Security review of draft… stephen.farrell
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Radia Perlman
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie