Go implement whatever you want. But the spec should set the highest
practical bar it can, and requiring HTTPS is trivial.
As a practical note, if the WG reaches consensus to drop the MUST, I would
ask the chairs to ask the security area and IESG to provide guidance whether
they would approve such document. The IESG did not approve OAuth 1.0a for
publication as an RFC until this was changed to a MUST (for PLAINTEXT) among
other comments, and that with a strong warning.
There is also an on going effort to improve cookie security. Do we really
want OAuth to become the next weakest link?
I emphatically agree.
I suspect that a lot of confusion on this thread is caused by confusing
implementation requirements with deployment requirements btw.
Cheers Leif
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
