Hello,

I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be
said about TLS 1.2 in the security recommendations.  I see that it is
recommended through RFC6819 that just says:

 Attacks can be mitigated by using transport-layer mechanisms such as
   TLS [RFC5246].  A virtual private network (VPN), e.g., based on IPsec
   VPNs [RFC4301], may be considered as well.


And more has been said in recent publications.  Since this particular draft
is addressing a threat exposed when TLS is not in use, the language from
the last draft would be better, requiring at least TLS 1.2 and referring to
the TLS BCP.

The only other point from my review is a nit:
At the end of section 4.4, there should be quotes around both instances of
"plain".

Once this has been addressed, we can start IETF last call.

Thank you!
-- 

Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to