Hiya, This draft has a couple of minor changes needed as a result of IESG review (see [1]) but one question came up that I wanted to bring back to the WG to see what you think. Any good answer should be fine btw, this isn't a case of the insisting on stuff.
The question is whether the WG think that the situation related to the mandatory-to-implement TLS version has changed since that was last discussed a couple of years ago. There have been changes in the implementation status of TLS1.2 since then, mainly driven by the discovery of weaknesses with some deployment choices for TLS1.0. So - should we stick with the TLS1.0 as MTI and TLS1.2 as a SHOULD implement or can we now safely bump up to TLS1.2 as MTI? And since its been a source of confusion here before, we're discussing what's mandatory to *implement* not what's mandatory to *use*. Thanks, S. PS: the other changes are mechanical so don't need to take up WG time but feel free to comment to the list, chairs, authors, me, ... whatever. [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/ballot/ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
