IETF Logo Mail Archive

Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 03 April 2015 14:09 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59AE1AC39A; Fri, 3 Apr 2015 07:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NrOMyNBLLb9e; Fri, 3 Apr 2015 07:09:57 -0700 (PDT)
Received: from mail-qc0-x235.google.com (mail-qc0-x235.google.com [IPv6:2607:f8b0:400d:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4022F1A92FD; Fri, 3 Apr 2015 07:09:57 -0700 (PDT)
Received: by qcbii10 with SMTP id ii10so67136803qcb.2; Fri, 03 Apr 2015 07:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rBe9bnoBqxRfgpIlxpWWNKTOnq35zTA5GyEw37ggABE=; b=DbeOVGH4onA862m9IVaEeQa2jfVoPt89B/h7zsXCTzYrSrDEqPgiM8VdPdWyrfE0wk 8l7x9oQmesks0Z5VIuPisgqA1DtyG9SLVpJz+vurQYRgicuwjbvolcNj4i+cNqPq4woL rdQO4L6lG8o2Aj0QPMHaPlYnFTL1/mpyrzqf/mkJfdFCXsenOT3fNUdhAU8c72YwDV9i 4MU6ns5awnirKiLH0WuVVM2fF8QW9jTd6ueX9yczlTIsf5EPhC4KOQ7xVoYkJm9v+GOx TT7HWD7ad73VlS9iJ/MHbqIjjmNLvQmACiu3z+o0Nfu8LGGJ106X3601nuIRP4Nehr5A fO8Q==
X-Received: by 10.55.51.77 with SMTP id z74mr4609890qkz.84.1428070196542; Fri, 03 Apr 2015 07:09:56 -0700 (PDT)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id h34sm5693887qkh.34.2015.04.03.07.09.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Apr 2015 07:09:55 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CABrd9STN4sp3GYwXT20CsDJQ4DJMrN-zajjxypkZWSpEUi4BTA@mail.gmail.com>
Date: Fri, 03 Apr 2015 10:09:54 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F8705AC-7C49-49F5-8E8F-DBD65AAB5470@gmail.com>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <551C0005.2000309@gmx.net> <alpine.GSO.1.10.1504011209550.22210@multics.mit.edu> <551C1970.4050600@cs.tcd.ie> <551C2568.3050301@gmx.net> <CAHbuEH65fyKWZpVRxst=-6arapic4vK-K3A38EuLv0f70gDDCg@mail.gmail.com> <CABrd9STN4sp3GYwXT20CsDJQ4DJMrN-zajjxypkZWSpEUi4BTA@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/qZiw1rmJ962gfzGq8Js2r9Ai06w>
Cc: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org" <draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org>
Subject: Re: [secdir] MTI ... Re: Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 14:09:59 -0000

Sorry, I was at a conference yesterday and not able to respond.

Sent from my iPhone

> On Apr 2, 2015, at 1:15 PM, Ben Laurie <benl@google.com> wrote:
> 
> On 1 April 2015 at 18:18, Kathleen Moriarty
> <kathleen.moriarty.ietf@gmail.com> wrote:
>> I agree with Hannes here.  Having MTI for TLS 1.2 is fine for right now, it
>> must be supported, but doesn't mean other versions can't be supported once
>> libraries are available and it makes sense.  We can't hold this up because
>> TLS 1.3 is coming soon and would prefer that folks know they should be
>> implementing at least TLS 1.2.  A reference to the TLS BCP with this is fine
>> as well.  But this is one of the many OAuth drafts and not really the place
>> to call out specific requirements, like which of the recommended cipher
>> suites int eh BCP should be implemented for Oauth (I don't think that has
>> been done as it has for other protocols), but is not the right place to do
>> too much.
> 
> Call it out wherever you want. _My_ job is to review this particular
> I-D, and this is an issue with this particular I-D. I don't see how
> the fact it is also an issue with many other I-Ds fixes that problem.

Yes and your review is very much appreciated.  We need to discuss the review to figure out what changes and doesn't in a draft.  Ideally, all of the security needs would have been clear in a foundational document, but as Hannes pointed out, requirements evolved as OAuth developed.

At this point in time, TLS 1.2 is the base requirement, which is appropriate.  As is a reference to the BCP that explains security for that version.  When support for 1.3 makes that feasible, an 'updates' draft can fix that.  If the BCP for 1.3 updates the current one for 1.2 (maybe there will be enough of a difference to make a new #), then the BCP number will already be in this draft.  We can't predict the future, but we can go off of what we know now and just move into the other questions raised in this review.

Thank you,
Kathleen

v2.23.0 | Report a Bug | By Email