+1 Phil
On 2011-08-16, at 13:04, Peter Saint-Andre <[email protected]> wrote: > How's this? > > The authorization server MUST support Transport Layer Security > (at the time of this writing, the latest version is specified in > [RFC5246]). It MAY support additional transport-layer mechanisms > meeting its security requirements. > > On 8/16/11 1:55 PM, Eran Hammer-Lahav wrote: >> We should relax it. Just need someone to propose new language. >> >> EHL >> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On Behalf >>> Of Justin Richer >>> Sent: Tuesday, August 16, 2011 12:49 PM >>> To: Rob Richards >>> Cc: [email protected] >>> Subject: Re: [OAUTH-WG] TLS 1.2 >>> >>> As I recall, the logic of the group here was something like: >>> >>> "We want transport-layer encryption, so let's grab the latest version of >>> that >>> around, which looks to be TLS 1.2" >>> >>> With that logic in mind, this relaxation makes sense to me. Does anyone >>> remember this requirement differently? >>> >>> -- Justin >>> (who admittedly couldn't tell the difference between SSL and TLS) >>> >>> On Tue, 2011-08-16 at 15:36 -0400, Rob Richards wrote: >>>> I wanted to follow up on this and see if there was any consideration >>>> to relaxing this requirement. Can someone actually point me to a >>>> compliant implementation using TLS 1.2 because after looking at a >>>> number of them, I have yet to find one that does. >>>> >>>> Rob >>>> >>>> On 8/12/11 3:56 PM, Rob Richards wrote: >>>>> The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). >>>>> Based on a thread about this from last year I was under the >>>>> impression that it was going to be relaxed to a SHOULD with most >>>>> likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit >>>>> unrealistic to require >>>>> 1.2 when many systems out there can't support it. IMO this is going >>>>> to be a big stumbling block for people to implement a compliant >>>>> OAuth system. Even PCI doesn't require 1.2. >>>>> >>>>> Rob >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> [email protected] >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > > -- > Peter Saint-Andre > https://stpeter.im/ > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
