On 6/9/10 6:42 PM, Michael D Adams wrote: > On Tue, Jun 8, 2010 at 3:10 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >>> Yaron Goland >>> Section 3.3 - Is TLS/SSL mandatory or optional? And if so, what version of >>> TLS/SSL? >> >> Is it ok to require TLS 1.2? >> >>> To me this text implies that an OAuth server could be conformant and not >>> implement TLS/SSL but instead implement some other transport-layer >>> security mechanism (say a VPN protocol). From an interoperability >>> perspective that seems problematic since it means clients can't know what >>> transport-layer solution the token endpoint will support. Wouldn't it be >>> reasonable to put in a requirement that all OAuth endpoints MUST support >>> RFC 5246 and RFC 5746? >> >> 5246 makes sense. I don't know enough to say about 5746. >> >>> In other words the language could read: ".the authorization server MUST >>> require the use of a transport-layer mechanism when sending requests to >>> the token endpoints. Specifically, authorization servers MUST support >>> version 1.2 of TLS as defined in RFC 5246 and extended in RFC 5746 and MAY >>> support other equivalent secure channel mechanisms". > > Does anyone have a list of libraries that support TLS 1.2? > > OpenSSL, for example, only supports TLS 1.0 in the current stable > release. That'd be RFC2246 (presumably plus extensions). > > I don't know the difference between SSL and TLS let alone TLS 1.0 and > TLS 1.2, but a systems friend of mine says: > >> I dont think it is realistic to require anything higher than TLS 1.0.
Typically, specifications do the following: 1. Require support for Transport Layer Security. 2. Point to the latest specification of that technology (RFC 5246). 3. Prohibit or strongly discourage use of some older versions of that technology -- often SSL 2.0 but in some cases also SSL 3.0. I can provide suggested text along those lines (see rfc3920bis for ideas). Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
