We are looking at this all wrong. There are two kinds of protected resources OAuth supports:
* http:// * https:// OAuth provides two kinds of token authentication modes: * bearer token * token + signature I don't know how to translate your statement below into text I can put in the draft to answer: When you access/serve an http:// protected resource you do what? When you access/serve an https:// protected resource you do what? It is not about requiring SSL for bearer token. It is about what you can/should do when accessing an http:// resource. EHL On 4/7/10 7:09 AM, "Richard Barnes" <rbar...@bbn.com> wrote: > To re-iterate and clarify Leif's second point, I would be in favor of > making TLS: > > -- REQUIRED for implementations to support (== MUST) > -- RECOMMENDED for deployments to use (== SHOULD) > > This a pretty universal pattern in IETF protocols. > > --Richard > > > On Apr 7, 2010, at 7:20 AM, Leif Johansson wrote: > >> >>> Go implement whatever you want. But the spec should set the highest >>> practical bar it can, and requiring HTTPS is trivial. >>> >>> As a practical note, if the WG reaches consensus to drop the MUST, >>> I would >>> ask the chairs to ask the security area and IESG to provide >>> guidance whether >>> they would approve such document. The IESG did not approve OAuth >>> 1.0a for >>> publication as an RFC until this was changed to a MUST (for >>> PLAINTEXT) among >>> other comments, and that with a strong warning. >>> >>> There is also an on going effort to improve cookie security. Do we >>> really >>> want OAuth to become the next weakest link? >> >> I emphatically agree. >> >> I suspect that a lot of confusion on this thread is caused by >> confusing implementation requirements with deployment requirements >> btw. >> >> Cheers Leif >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
