I would agree as we ran into this from some of deployment we had. What is the driving factor here for 1.2 over 1.0?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rob Richards Sent: Thursday, November 17, 2011 3:07 AM To: Barry Leiba Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base Please refer to this thread about the problem with requiring anything more than TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html You will end up with a spec that virtually no one can implement and be in conformance with. I still have yet to find an implementation out in the wild that supports anything more than TLS 1.0 Rob On 11/17/11 3:41 AM, Barry Leiba wrote: > The OAuth base doc refers in two places to TLS versions (with the same > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > > In both the shepherd review and the AD review, this was called into question: > 1. MUST for an old version and SHOULD for the current version seems wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. > > I have suggested the following change, as doc shepherd: > > NEW > The authorization server MUST implement the current version of TLS > (1.2 [RFC5246] at the time of this writing), and SHOULD implement the > most widely deployed previous version (1.0 [RFC2246] at the of this > writing), unless that version is deprecated due to security > vulnerabilities. It MAY also implement additional transport-layer > mechanisms that meet its security requirements. > > I believe this also gives us the effect we want, without the two > problems above. There was consensus in the meeting for accepting this > text. Confirming on the list: > > Please respond to this thread if you *object* to this change, and say > why. Please respond by 2 Dec 2011. > > Barry, as document shepherd > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
