Hi everybody, I provided some feedback on TLS usage on OAuth 2.1. You can find it in this commentable PR:
- https://github.com/aaronpk/oauth-v2-1/pull/30/files As a first-time reader of this I-D I found that the various references to TLS were a bit confusing because: - sometimes it was explicitly stated as MUST - sometimes it was not mentioned - in other parts it's MAY not use TLS (eg. `loopback`). Moreover various information on how to process TLS were given: I am not sure whether this makes the spec more secure or less secure, as there are spec related to TLS security including RFC8740 which does not seem to be included (it's not in BCP195, which applies to TLS<=1.2). Probably we need a way to delegate elsewhere all the quirks of TLS/whatever channel security mechanism is used. The general idea of the above PR is to: - move everything about TLS to a specific section; - state that MUST TLS unless `loopback`; - further quotes of TLS are expected to be non-normative. Feedback welcome, R
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth