Hi Kathleen,

I have made the two edits and updated the draft.

John B.

> On Apr 18, 2015, at 12:39 PM, Kathleen Moriarty 
> <[email protected]> wrote:
> 
> Hello,
> 
> I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said 
> about TLS 1.2 in the security recommendations.  I see that it is recommended 
> through RFC6819 that just says: 
> 
>  Attacks can be mitigated by using transport-layer mechanisms such as
>    TLS [RFC5246].  A virtual private network (VPN), e.g., based on IPsec
>    VPNs [RFC4301], may be considered as well.
> 
> 
> And more has been said in recent publications.  Since this particular draft 
> is addressing a threat exposed when TLS is not in use, the language from the 
> last draft would be better, requiring at least TLS 1.2 and referring to the 
> TLS BCP.
> 
> The only other point from my review is a nit:
> At the end of section 4.4, there should be quotes around both instances of 
> "plain".
> 
> Once this has been addressed, we can start IETF last call.
> 
> Thank you!
> -- 
> 
> Best regards,
> Kathleen
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to