Hi John, Thank you. I'll review it tomorrow and start the processing so last call can start on Monday.
Best regards, Kathleen Sent from my iPhone > On May 16, 2015, at 7:12 PM, John Bradley <[email protected]> wrote: > > Hi Kathleen, > > I have made the two edits and updated the draft. > > John B. > >> On Apr 18, 2015, at 12:39 PM, Kathleen Moriarty >> <[email protected]> wrote: >> >> Hello, >> >> I just reviewed draft-ietf-oauth-spop-10 and am thinking more should be said >> about TLS 1.2 in the security recommendations. I see that it is recommended >> through RFC6819 that just says: >> >> Attacks can be mitigated by using transport-layer mechanisms such as >> TLS [RFC5246]. A virtual private network (VPN), e.g., based on IPsec >> VPNs [RFC4301], may be considered as well. >> >> >> And more has been said in recent publications. Since this particular draft >> is addressing a threat exposed when TLS is not in use, the language from the >> last draft would be better, requiring at least TLS 1.2 and referring to the >> TLS BCP. >> >> The only other point from my review is a nit: >> At the end of section 4.4, there should be quotes around both instances of >> "plain". >> >> Once this has been addressed, we can start IETF last call. >> >> Thank you! >> -- >> >> Best regards, >> Kathleen >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
