Hi Kathleen, I have made the two edits and updated the draft.
John B. > On Apr 18, 2015, at 12:39 PM, Kathleen Moriarty > <[email protected]> wrote: > > Hello, > > I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said > about TLS 1.2 in the security recommendations. I see that it is recommended > through RFC6819 that just says: > > Attacks can be mitigated by using transport-layer mechanisms such as > TLS [RFC5246]. A virtual private network (VPN), e.g., based on IPsec > VPNs [RFC4301], may be considered as well. > > > And more has been said in recent publications. Since this particular draft > is addressing a threat exposed when TLS is not in use, the language from the > last draft would be better, requiring at least TLS 1.2 and referring to the > TLS BCP. > > The only other point from my review is a nit: > At the end of section 4.4, there should be quotes around both instances of > "plain". > > Once this has been addressed, we can start IETF last call. > > Thank you! > -- > > Best regards, > Kathleen > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
