Since there is so much agreement and peace in the air, I would through
a little editorial query:
Would it not be better to say "the appropriate version" instead of this
somewaht lawyerish "version (or versions)"?
Igor
On 1/20/2012 3:44 PM, Barry Leiba wrote:
Added to section 1:
TLS Ve
> Added to section 1:
>
> TLS Version
>
> Whenever TLS is required by this specification, the appropriate
> version (or versions) of
> TLS will vary over time, based on the widespread deployment and
> known security
> vulnerabilities. At the time of this writing, TLS
ba
> Sent: Sunday, December 18, 2011 10:56 AM
> To: oauth WG
> Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
>
> To close out this issue:
> There's disagreement about whether this proposed text is "necessary", but
> no one thinks it's *
To close out this issue:
There's disagreement about whether this proposed text is "necessary",
but no one thinks it's *bad*, and I see consensus to use it. Eran,
please make the following change in two places in the base document:
> OLD
> The authorization server MUST support TLS 1.0 ([RFC2246]),
t think it causes any problems.
*From:* Rob Richards
*To:* Mike Jones
*Cc:* Barry Leiba ; oauth WG
*Sent:* Saturday, December 10, 2011 11:26 AM
*Subject:* Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
I am fine with it
Rob
On 12/9/11 1:30 PM, Mike Jones wrote:
> It looks
I think it's overkill, but I don't think it causes any problems.
From: Rob Richards
To: Mike Jones
Cc: Barry Leiba ; oauth WG
Sent: Saturday, December 10, 2011 11:26 AM
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
I am fi
ments.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Peter
Saint-Andre
Sent: Thursday, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:
aint-Andre
Sent: Thursday, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:57 PM, Stephen Farrell wrote:
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wro
f.org [mailto:oauth-boun...@ietf.org] On Behalf Of Peter
Saint-Andre
Sent: Thursday, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:57 PM, Stephen Farrell wrote:
>
>
> On 12/01/2011 08:10 P
Stephen Farrell
Sent: Thursday, December 01, 2011 3:57 PM
To: Peter Saint-Andre
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
> On 12/1/11 1:09 PM, Rob Richards wrote:
>> On 11/28/11 10:39 PM, Barr
On 12/1/11 1:57 PM, Stephen Farrell wrote:
>
>
> On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
>> On 12/1/11 1:09 PM, Rob Richards wrote:
>>> On 11/28/11 10:39 PM, Barry Leiba wrote:
> The OAuth base doc refers in two places to TLS versions (with the same
> text in both places:
>
>
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
On 12/1/11 1:09 PM, Rob Richards wrote:
> On 11/28/11 10:39 PM, Barry Leiba wrote:
>>> The OAuth base doc refers in two places to TLS versions (with the same
>>> text in both places:
>>>
>>> OLD
>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
>>> support TLS 1.2 ([RFC5246]) an
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport
> The OAuth base doc refers in two places to TLS versions (with the same
> text in both places:
>
> OLD
> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
> support additional transport-layer mechanisms meeting its
Are there any features of TLS 1.2 that are specifically needed for OAuth2? Can
you identify a technical reason other then 'we gotta move the market forward'?
Given past history in the WG where having any transport security was
contentious, I suspect there would be significant objection to 1.2.
Agree with Rob here. Also, from an application and service developer's
perspective, the check for "TLS compliance" is going to go something
like this:
1) Does that url start with "https"?
2) If yes, I'm compliant!
3) If no, make the url start with "https"
4) Done!
Which will put us in exactly the
I'm saying that it's very difficult for someone to implement an AS that
implements TLS 1.2. TLS 1.2 is not supported in the a good number of
systems people deploy on. For example, the use of Apache and OpenSSL
accounts for a good number of web servers out there. The only way to
deploy a conform
> And if the servers don't implement the "should" on 1.0 how do we get
> deployments for the other actors that can't talk to 1.2
1. Do you think we'll really see implementations that don't work with
what's out there?
2. SHOULD doesn't mean MAY. SHOULD means "MUST, unless you have a
really good r
2011 3:19 AM
To: Rob Richards
Cc: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
> Please refer to this thread about the problem with requiring anything
> more than TLS 1.0
> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
>
> You will end u
> Please refer to this thread about the problem with requiring anything more
> than TLS 1.0
> http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
>
> You will end up with a spec that virtually no one can implement and be in
> conformance with. I still have yet to find an implementation
: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Please refer to this thread about the problem with requiring anything more than
TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement and be
Please refer to this thread about the problem with requiring anything
more than TLS 1.0
http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement and be
in conformance with. I still have yet to find an implementation out in
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport-layer mechanisms meeting its security
requ
24 matches
Mail list logo
