On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport-layer mechanisms meeting its security
requirements.
In both the shepherd review and the AD review, this was called into question:
1. MUST for an old version and SHOULD for the current version seems wrong.
2. Having specific versions required locks us into those versions (for
example, all implementations will have to support TLS 1.0, even long
after it becomes obsolete, unless we rev the spec.
The comments I've gotten on this show a clear consensus against the
change I suggest, and against any attempt to require a version of TLS
other than 1.0. I still, though, am concerned that locking this spec
into TLS 1.0 is limiting. So let me propose an alternative wording,
which again tries to make the version(s) non-normative, while making
it clear which version(s) need to be implemented to get
interoperability:
NEW
--------------------------------------------
The authorization server MUST implement TLS. Which version(s)
ought to be implemented will vary over time, and depend on
the widespread deployment and known security vulnerabilities at
the time of implementation. At the time of this writing, TLS version
1.2 [RFC5246] is the most recent version, but has very limited
actual deployment, and might not be readily available in
implementation toolkits. TLS version 1.0 [RFC2246] is the
most widely deployed version, and will give the broadest
interoperability.
Servers MAY also implement additional transport-layer
mechanisms that meet their security requirements.
--------------------------------------------
Comments on this version?
Barry
Text is neutral enough for me as it's not mandating anything that isn't
readily available. Only comment is whether or not there is a need to
even talk about the specific versions or if just the following is enough:
The authorization server MUST implement TLS. Which version(s) ought to
be implemented will vary over time, and depend on the widespread
deployment and known security vulnerabilities at the time of implementation.
Servers MAY also implement additional transport-layer mechanisms that
meet their security requirements.
Rob
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
