Hello, I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said about TLS 1.2 in the security recommendations. I see that it is recommended through RFC6819 that just says:
Attacks can be mitigated by using transport-layer mechanisms such as TLS [RFC5246]. A virtual private network (VPN), e.g., based on IPsec VPNs [RFC4301], may be considered as well. And more has been said in recent publications. Since this particular draft is addressing a threat exposed when TLS is not in use, the language from the last draft would be better, requiring at least TLS 1.2 and referring to the TLS BCP. The only other point from my review is a nit: At the end of section 4.4, there should be quotes around both instances of "plain". Once this has been addressed, we can start IETF last call. Thank you! -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
