On 1/20/12 4:46 PM, Eran Hammer wrote: > Stephen asked: > >> (13) 10.9 says that the client MUST verify the server's cert which is >> fine. However, does that need a reference to e.g. rfc 6125? Also, do >> you want to be explicit here about the TLS server cert and thereby >> possibly rule out using DANE with the non PKI options that that WG >> (may) produce? > > Can someone help with this? I don’t know enough to address.
The OAuth core spec currently says: The client MUST validate the authorization server's TLS certificate in accordance with its requirements for server identity authentication. RFC 2818 has guidance about endpoint identity, in Section 3.1: http://tools.ietf.org/html/rfc2818#section-3.1 RFC 6125 attempts to generalize the guidance from RFC 2818 and many similar specs for use by new application protocols. Given that OAuth as defined by the core spec runs over HTTP, I think referencing RFC 2818 would make sense. So something like: The client MUST validate the authorization server's TLS certificate in accordance with the rules for server identity authentication provided in Section 3.1 of [RFC2818]. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth