To close out this issue: There's disagreement about whether this proposed text is "necessary", but no one thinks it's *bad*, and I see consensus to use it. Eran, please make the following change in two places in the base document:
> OLD > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY > support additional transport-layer mechanisms meeting its security > requirements. > NEW > The authorization server MUST implement TLS. Which version(s) > ought to be implemented will vary over time, and depend on > the widespread deployment and known security vulnerabilities at > the time of implementation. At the time of this writing, TLS version > 1.2 [RFC5246] is the most recent version, but has very limited > actual deployment, and might not be readily available in > implementation toolkits. TLS version 1.0 [RFC2246] is the > most widely deployed version, and will give the broadest > interoperability. > > Servers MAY also implement additional transport-layer > mechanisms that meet their security requirements. Barry, as chair _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
