Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

Fri, 20 Jan 2012 12:18:27 -0800 

Added to section 1:

   TLS Version

          Whenever TLS is required by this specification, the appropriate 
version (or versions) of
          TLS will vary over time, based on the widespread deployment and known 
security
          vulnerabilities. At the time of this writing, TLS version 1.2 <xref 
target='RFC5246' />
          is the most recent version, but has a very limited deployment base 
and might not be
          readily available for implementation. TLS version 1.0 <xref 
target='RFC2246' /> is the
          most widely deployed version, and will provide the broadest 
interoperability.

          Implementations MAY also support additional transport-layer 
mechanisms that meet their
          security requirements.

And referenced this section when TLS requirements were previously defined.

EHL


> -----Original Message-----
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Barry Leiba
> Sent: Sunday, December 18, 2011 10:56 AM
> To: oauth WG
> Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
> 
> To close out this issue:
> There's disagreement about whether this proposed text is "necessary", but
> no one thinks it's *bad*, and I see consensus to use it.  Eran, please make
> the following change in two places in the base document:
> 
> > OLD
> > The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
> > support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
> > support additional transport-layer mechanisms meeting its security
> > requirements.
> 
> > NEW
> > The authorization server MUST implement TLS.  Which version(s) ought
> > to be implemented will vary over time, and depend on the widespread
> > deployment and known security vulnerabilities at the time of
> > implementation.  At the time of this writing, TLS version
> > 1.2 [RFC5246] is the most recent version, but has very limited actual
> > deployment, and might not be readily available in implementation
> > toolkits.  TLS version 1.0 [RFC2246] is the most widely deployed
> > version, and will give the broadest interoperability.
> >
> > Servers MAY also implement additional transport-layer mechanisms that
> > meet their security requirements.
> 
> Barry, as chair
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to