Please do. EHL
> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Peter Saint-Andre > Sent: Wednesday, June 09, 2010 6:38 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] Questions about sections 3.2/3.3 > > On 6/9/10 6:42 PM, Michael D Adams wrote: > > On Tue, Jun 8, 2010 at 3:10 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > >>> Behalf Of Yaron Goland Section 3.3 - Is TLS/SSL mandatory or > >>> optional? And if so, what version of TLS/SSL? > >> > >> Is it ok to require TLS 1.2? > >> > >>> To me this text implies that an OAuth server could be conformant and > >>> not implement TLS/SSL but instead implement some other > >>> transport-layer security mechanism (say a VPN protocol). From an > >>> interoperability perspective that seems problematic since it means > >>> clients can't know what transport-layer solution the token endpoint > >>> will support. Wouldn't it be reasonable to put in a requirement that > >>> all OAuth endpoints MUST support RFC 5246 and RFC 5746? > >> > >> 5246 makes sense. I don't know enough to say about 5746. > >> > >>> In other words the language could read: ".the authorization server > >>> MUST require the use of a transport-layer mechanism when sending > >>> requests to the token endpoints. Specifically, authorization servers > >>> MUST support version 1.2 of TLS as defined in RFC 5246 and extended > >>> in RFC 5746 and MAY support other equivalent secure channel > mechanisms". > > > > Does anyone have a list of libraries that support TLS 1.2? > > > > OpenSSL, for example, only supports TLS 1.0 in the current stable > > release. That'd be RFC2246 (presumably plus extensions). > > > > I don't know the difference between SSL and TLS let alone TLS 1.0 and > > TLS 1.2, but a systems friend of mine says: > > > >> I dont think it is realistic to require anything higher than TLS 1.0. > > Typically, specifications do the following: > > 1. Require support for Transport Layer Security. > > 2. Point to the latest specification of that technology (RFC 5246). > > 3. Prohibit or strongly discourage use of some older versions of that > technology -- often SSL 2.0 but in some cases also SSL 3.0. > > I can provide suggested text along those lines (see rfc3920bis for ideas). > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
