And if the servers don't implement the "should" on 1.0 how do we get deployments for the other actors that can't talk to 1.2
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Barry Leiba Sent: Thursday, November 17, 2011 3:19 AM To: Rob Richards Cc: oauth WG Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base > Please refer to this thread about the problem with requiring anything > more than TLS 1.0 > http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html > > You will end up with a spec that virtually no one can implement and be > in conformance with. I still have yet to find an implementation out in > the wild that supports anything more than TLS 1.0 Are you saying that there's some difficulty in *implementing* TLS 1.2 ? If so, please explain what that difficulty is. If you're saying that TLS 1.2 is not widely deployed, and so it's hard to find two implementations that will actually *use* TLS 1.2 to talk to each other, I have no argument with you. But that's not the point. If everyone implements only TLS 1.0, we'll never move forward. And when TLS 1.2 (or something later) does get rolled out, OAuth implementations will be left behind. If everyone implements 1.2 AND 1.0, then we'll be ready when things move. I'm pretty sure there'll be trouble getting through the IESG with a MUST for something two versions old, and a SHOULD for the current version. Barry _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
