How's this? The authorization server MUST support Transport Layer Security (at the time of this writing, the latest version is specified in [RFC5246]). It MAY support additional transport-layer mechanisms meeting its security requirements.
On 8/16/11 1:55 PM, Eran Hammer-Lahav wrote: > We should relax it. Just need someone to propose new language. > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Justin Richer >> Sent: Tuesday, August 16, 2011 12:49 PM >> To: Rob Richards >> Cc: [email protected] >> Subject: Re: [OAUTH-WG] TLS 1.2 >> >> As I recall, the logic of the group here was something like: >> >> "We want transport-layer encryption, so let's grab the latest version of that >> around, which looks to be TLS 1.2" >> >> With that logic in mind, this relaxation makes sense to me. Does anyone >> remember this requirement differently? >> >> -- Justin >> (who admittedly couldn't tell the difference between SSL and TLS) >> >> On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote: >>> I wanted to follow up on this and see if there was any consideration >>> to relaxing this requirement. Can someone actually point me to a >>> compliant implementation using TLS 1.2 because after looking at a >>> number of them, I have yet to find one that does. >>> >>> Rob >>> >>> On 8/12/11 3:56 PM, Rob Richards wrote: >>>> The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). >>>> Based on a thread about this from last year I was under the >>>> impression that it was going to be relaxed to a SHOULD with most >>>> likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit >>>> unrealistic to require >>>> 1.2 when many systems out there can't support it. IMO this is going >>>> to be a big stumbling block for people to implement a compliant >>>> OAuth system. Even PCI doesn't require 1.2. >>>> >>>> Rob >>>> _______________________________________________ >>>> OAuth mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
