The OAuth base doc refers in two places to TLS versions (with the same text in both places:
OLD The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD support TLS 1.2 ([RFC5246]) and its future replacements, and MAY support additional transport-layer mechanisms meeting its security requirements. In both the shepherd review and the AD review, this was called into question: 1. MUST for an old version and SHOULD for the current version seems wrong. 2. Having specific versions required locks us into those versions (for example, all implementations will have to support TLS 1.0, even long after it becomes obsolete, unless we rev the spec. I have suggested the following change, as doc shepherd: NEW The authorization server MUST implement the current version of TLS (1.2 [RFC5246] at the time of this writing), and SHOULD implement the most widely deployed previous version (1.0 [RFC2246] at the of this writing), unless that version is deprecated due to security vulnerabilities. It MAY also implement additional transport-layer mechanisms that meet its security requirements. I believe this also gives us the effect we want, without the two problems above. There was consensus in the meeting for accepting this text. Confirming on the list: Please respond to this thread if you *object* to this change, and say why. Please respond by 2 Dec 2011. Barry, as document shepherd _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
