Eran Richard and Lief are describing the same point we had in the past where Peter surmised the discussion that an *implementation* MUST support TLS is required for bearer tokens to be compliant, and that TLS is recommended for *deployment*
-- Dick On 2010-04-07, at 4:21 PM, Eran Hammer-Lahav wrote: > We are looking at this all wrong. > > There are two kinds of protected resources OAuth supports: > > * http:// > * https:// > > OAuth provides two kinds of token authentication modes: > > * bearer token > * token + signature > > I don't know how to translate your statement below into text I can put in > the draft to answer: > > When you access/serve an http:// protected resource you do what? > When you access/serve an https:// protected resource you do what? > > It is not about requiring SSL for bearer token. It is about what you > can/should do when accessing an http:// resource. > > EHL > > On 4/7/10 7:09 AM, "Richard Barnes" <[email protected]> wrote: > >> To re-iterate and clarify Leif's second point, I would be in favor of >> making TLS: >> >> -- REQUIRED for implementations to support (== MUST) >> -- RECOMMENDED for deployments to use (== SHOULD) >> >> This a pretty universal pattern in IETF protocols. >> >> --Richard >> >> >> On Apr 7, 2010, at 7:20 AM, Leif Johansson wrote: >> >>> >>>> Go implement whatever you want. But the spec should set the highest >>>> practical bar it can, and requiring HTTPS is trivial. >>>> >>>> As a practical note, if the WG reaches consensus to drop the MUST, >>>> I would >>>> ask the chairs to ask the security area and IESG to provide >>>> guidance whether >>>> they would approve such document. The IESG did not approve OAuth >>>> 1.0a for >>>> publication as an RFC until this was changed to a MUST (for >>>> PLAINTEXT) among >>>> other comments, and that with a strong warning. >>>> >>>> There is also an on going effort to improve cookie security. Do we >>>> really >>>> want OAuth to become the next weakest link? >>> >>> I emphatically agree. >>> >>> I suspect that a lot of confusion on this thread is caused by >>> confusing implementation requirements with deployment requirements >>> btw. >>> >>> Cheers Leif >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
