As has been pointed out in the discussions, if a website does not employe TLS on connections on other connections, having TLS on the redirect does not add security.
Depending on the resource grant being given, the nature of the website, not running TLS may be an acceptable security tradeoff. No being an IETF security expert, I don't have an opinion on MUST or SHOULD language for TLS on the redirect. This tradeoff should be well documented in the security considerations, and this language I feel strongly should be in the core spec so that implementors understand the risk. Examples where this is an acceptable tradeoff could be where access to the resource is read-only, and the resource is publicly available information. In this case, the resource is enabling the contextually useful information for the user. A specific example of this would be blog comments. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
