Are there any features of TLS 1.2 that are specifically needed for OAuth2? Can you identify a technical reason other then 'we gotta move the market forward'?
Given past history in the WG where having any transport security was contentious, I suspect there would be significant objection to 1.2. Phil @independentid www.independentid.com [email protected] On 2011-11-17, at 12:41 AM, Barry Leiba wrote: > The OAuth base doc refers in two places to TLS versions (with the same > text in both places: > > OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > > In both the shepherd review and the AD review, this was called into question: > 1. MUST for an old version and SHOULD for the current version seems wrong. > 2. Having specific versions required locks us into those versions (for > example, all implementations will have to support TLS 1.0, even long > after it becomes obsolete, unless we rev the spec. > > I have suggested the following change, as doc shepherd: > > NEW > The authorization server MUST implement the current version of TLS > (1.2 [RFC5246] at the time of this writing), and SHOULD implement the > most widely deployed previous version (1.0 [RFC2246] at the of this > writing), unless that version is deprecated due to security > vulnerabilities. It MAY also implement additional transport-layer > mechanisms that meet its security requirements. > > I believe this also gives us the effect we want, without the two > problems above. There was consensus in the meeting for accepting this > text. Confirming on the list: > > Please respond to this thread if you *object* to this change, and say > why. Please respond by 2 Dec 2011. > > Barry, as document shepherd > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
