...@ietf.org] On Behalf
Of Barry Leiba
Sent: Sunday, December 18, 2011 10:56 AM
To: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
To close out this issue:
There's disagreement about whether this proposed text is necessary, but
no one thinks it's *bad*, and I see
Added to section 1:
TLS Version
Whenever TLS is required by this specification, the appropriate
version (or versions) of
TLS will vary over time, based on the widespread deployment and
known security
vulnerabilities. At the time of this writing, TLS version
Since there is so much agreement and peace in the air, I would through
a little editorial query:
Would it not be better to say the appropriate version instead of this
somewaht lawyerish version (or versions)?
Igor
On 1/20/2012 3:44 PM, Barry Leiba wrote:
Added to section 1:
TLS
To close out this issue:
There's disagreement about whether this proposed text is necessary,
but no one thinks it's *bad*, and I see consensus to use it. Eran,
please make the following change in two places in the base document:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]),
.
*From:* Rob Richards rricha...@cdatazone.org
*To:* Mike Jones michael.jo...@microsoft.com
*Cc:* Barry Leiba barryle...@computer.org; oauth WG oauth@ietf.org
*Sent:* Saturday, December 10, 2011 11:26 AM
*Subject:* Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
I am fine with it
Rob
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
I am fine with it
Rob
On 12/9/11 1:30 PM, Mike Jones wrote:
It looks to me like there is consensus for Barry's text (below). Agreed?
-- Mike
NEW
.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Peter
Saint-Andre
Sent: Thursday, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:57 PM
[mailto:oauth-boun...@ietf.org] On Behalf Of Peter
Saint-Andre
Sent: Thursday, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:57 PM, Stephen Farrell wrote:
On 12/01/2011 08:10 PM, Peter Saint
, December 01, 2011 12:59 PM
To: Stephen Farrell
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/1/11 1:57 PM, Stephen Farrell wrote:
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM
: Thursday, December 01, 2011 3:57 PM
To: Peter Saint-Andre
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
On 12/1/11 1:57 PM, Stephen Farrell wrote:
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport-layer mechanisms meeting its
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport-layer mechanisms meeting its security
Please refer to this thread about the problem with requiring anything
more than TLS 1.0
http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement and be
in conformance with. I still have yet to find an implementation out in
: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Please refer to this thread about the problem with requiring anything more than
TLS 1.0 http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement
Please refer to this thread about the problem with requiring anything more
than TLS 1.0
http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement and be in
conformance with. I still have yet to find an implementation out
Cc: oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Please refer to this thread about the problem with requiring anything
more than TLS 1.0
http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can
I'm saying that it's very difficult for someone to implement an AS that
implements TLS 1.2. TLS 1.2 is not supported in the a good number of
systems people deploy on. For example, the use of Apache and OpenSSL
accounts for a good number of web servers out there. The only way to
deploy a
Agree with Rob here. Also, from an application and service developer's
perspective, the check for TLS compliance is going to go something
like this:
1) Does that url start with https?
2) If yes, I'm compliant!
3) If no, make the url start with https
4) Done!
Which will put us in exactly the
Are there any features of TLS 1.2 that are specifically needed for OAuth2? Can
you identify a technical reason other then 'we gotta move the market forward'?
Given past history in the WG where having any transport security was
contentious, I suspect there would be significant objection to 1.2.
23 matches
Mail list logo