Hi John,

Thank you.  I'll review it tomorrow and start the processing so last call can 
start on Monday.

Best regards,
Kathleen 

Sent from my iPhone

> On May 16, 2015, at 7:12 PM, John Bradley <[email protected]> wrote:
> 
> Hi Kathleen,
> 
> I have made the two edits and updated the draft.
> 
> John B.
> 
>> On Apr 18, 2015, at 12:39 PM, Kathleen Moriarty 
>> <[email protected]> wrote:
>> 
>> Hello,
>> 
>> I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said 
>> about TLS 1.2 in the security recommendations.  I see that it is recommended 
>> through RFC6819 that just says: 
>> 
>> Attacks can be mitigated by using transport-layer mechanisms such as
>>   TLS [RFC5246].  A virtual private network (VPN), e.g., based on IPsec
>>   VPNs [RFC4301], may be considered as well.
>> 
>> 
>> And more has been said in recent publications.  Since this particular draft 
>> is addressing a threat exposed when TLS is not in use, the language from the 
>> last draft would be better, requiring at least TLS 1.2 and referring to the 
>> TLS BCP.
>> 
>> The only other point from my review is a nit:
>> At the end of section 4.4, there should be quotes around both instances of 
>> "plain".
>> 
>> Once this has been addressed, we can start IETF last call.
>> 
>> Thank you!
>> -- 
>> 
>> Best regards,
>> Kathleen
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
> 

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to