Re: [OAUTH-WG] TLS 1.2

Tue, 16 Aug 2011 13:34:41 -0700

After dealing with a few companies' security teams over the spec, I don't think it should be allowed too much room for interpretation and needs to be spelled out clearly. They would most likely interpret that as requiring the latest version of TLS at the time of implementation. 

Maybe something more along the lines of:
The authorization server SHOULD support TLS 1.2 as defined in [RFC5246] but at a minimum MUST support TLS 1.0 as defined in [RFC2246], and MAY support additional transport-layer mechanisms meeting its security requirements. 

On 8/16/11 4:04 PM, Peter Saint-Andre wrote:

How's this?

    The authorization server MUST support Transport Layer Security
    (at the time of this writing, the latest version is specified in
    [RFC5246]). It MAY support additional transport-layer mechanisms
    meeting its security requirements.

On 8/16/11 1:55 PM, Eran Hammer-Lahav wrote:

We should relax it. Just need someone to propose new language.

EHL


-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Justin Richer
Sent: Tuesday, August 16, 2011 12:49 PM
To: Rob Richards
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] TLS 1.2

As I recall, the logic of the group here was something like:

"We want transport-layer encryption, so let's grab the latest version of that
around, which looks to be TLS 1.2"

With that logic in mind, this relaxation makes sense to me. Does anyone
remember this requirement differently?

  -- Justin
     (who admittedly couldn't tell the difference between SSL and TLS)

On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote:

I wanted to follow up on this and see if there was any consideration
to relaxing this requirement. Can someone actually point me to a
compliant implementation using TLS 1.2 because after looking at a
number of them, I have yet to find one that does.

Rob

On 8/12/11 3:56 PM, Rob Richards wrote:

The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2).
Based on a thread about this from last year I was under the
impression that it was going to be relaxed to a SHOULD with most
likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit
unrealistic to require
1.2 when many systems out there can't support it. IMO this is going
to be a big stumbling block for people to implement a compliant
OAuth system. Even PCI doesn't require 1.2.

Rob
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to