To re-iterate and clarify Leif's second point, I would be in favor of
making TLS:
-- REQUIRED for implementations to support (== MUST)
-- RECOMMENDED for deployments to use (== SHOULD)
This a pretty universal pattern in IETF protocols.
--Richard
On Apr 7, 2010, at 7:20 AM, Leif Johansson wrote:
Go implement whatever you want. But the spec should set the highest
practical bar it can, and requiring HTTPS is trivial.
As a practical note, if the WG reaches consensus to drop the MUST,
I would
ask the chairs to ask the security area and IESG to provide
guidance whether
they would approve such document. The IESG did not approve OAuth
1.0a for
publication as an RFC until this was changed to a MUST (for
PLAINTEXT) among
other comments, and that with a strong warning.
There is also an on going effort to improve cookie security. Do we
really
want OAuth to become the next weakest link?
I emphatically agree.
I suspect that a lot of confusion on this thread is caused by
confusing implementation requirements with deployment requirements
btw.
Cheers Leif
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
