As I recall, the logic of the group here was something like:
"We want transport-layer encryption, so let's grab the latest version of
that around, which looks to be TLS 1.2"
With that logic in mind, this relaxation makes sense to me. Does anyone
remember this requirement differently?
-- Justin
(who admittedly couldn't tell the difference between SSL and TLS)
On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote:
> I wanted to follow up on this and see if there was any consideration to
> relaxing this requirement. Can someone actually point me to a compliant
> implementation using TLS 1.2 because after looking at a number of them,
> I have yet to find one that does.
>
> Rob
>
> On 8/12/11 3:56 PM, Rob Richards wrote:
> > The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). Based
> > on a thread about this from last year I was under the impression that
> > it was going to be relaxed to a SHOULD with most likely TLS 1.0 (or
> > posssibly SSLv3) as a MUST. I think it's a bit unrealistic to require
> > 1.2 when many systems out there can't support it. IMO this is going to
> > be a big stumbling block for people to implement a compliant OAuth
> > system. Even PCI doesn't require 1.2.
> >
> > Rob
> > _______________________________________________
> > OAuth mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
