Re: [OAUTH-WG] TLS 1.2

2011-08-18 Thread Lu, Hui-Lan (Huilan)
+1 Huilan > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Rob > Richards > Sent: Thursday, August 18, 2011 3:46 PM > To: Eran Hammer-Lahav > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] TLS 1.2 > > On 8/18/11

Re: [OAUTH-WG] TLS 1.2

2011-08-18 Thread Rob Richards
On 8/18/11 2:31 PM, Eran Hammer-Lahav wrote: -Original Message- From: Rob Richards [mailto:rricha...@cdatazone.org] Sent: Tuesday, August 16, 2011 1:34 PM The authorization server SHOULD support TLS 1.2 as defined in [RFC5246] but at a minimum MUST support TLS 1.0 as defined in [RFC2246],

Re: [OAUTH-WG] TLS 1.2

2011-08-18 Thread Eran Hammer-Lahav
> -Original Message- > From: Rob Richards [mailto:rricha...@cdatazone.org] > Sent: Tuesday, August 16, 2011 1:34 PM > The authorization server SHOULD support TLS 1.2 as defined in [RFC5246] but > at a minimum MUST support TLS 1.0 as defined in [RFC2246], and MAY > support additional trans

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Rob Richards
an Hammer-Lahav wrote: We should relax it. Just need someone to propose new language. EHL -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, August 16, 2011 12:49 PM To: Rob Richards Cc: oauth@ietf.org Subject: Re: [OA

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Phillip Hunt
auth-boun...@ietf.org] On Behalf >>> Of Justin Richer >>> Sent: Tuesday, August 16, 2011 12:49 PM >>> To: Rob Richards >>> Cc: oauth@ietf.org >>> Subject: Re: [OAUTH-WG] TLS 1.2 >>> >>> As I recall, the logic of the group here was som

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Peter Saint-Andre
: Rob Richards >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] TLS 1.2 >> >> As I recall, the logic of the group here was something like: >> >> "We want transport-layer encryption, so let's grab the latest version of that >> around, which looks to be

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Eran Hammer-Lahav
We should relax it. Just need someone to propose new language. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Justin Richer > Sent: Tuesday, August 16, 2011 12:49 PM > To: Rob Richards > Cc: oauth@ietf.org > S

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Justin Richer
As I recall, the logic of the group here was something like: "We want transport-layer encryption, so let's grab the latest version of that around, which looks to be TLS 1.2" With that logic in mind, this relaxation makes sense to me. Does anyone remember this requirement differently? -- Justin

Re: [OAUTH-WG] TLS 1.2

2011-08-16 Thread Rob Richards
I wanted to follow up on this and see if there was any consideration to relaxing this requirement. Can someone actually point me to a compliant implementation using TLS 1.2 because after looking at a number of them, I have yet to find one that does. Rob On 8/12/11 3:56 PM, Rob Richards wrote:

[OAUTH-WG] TLS 1.2

2011-08-12 Thread Rob Richards
The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). Based on a thread about this from last year I was under the impression that it was going to be relaxed to a SHOULD with most likely TLS 1.0 (or posssibly SSLv3) as a MUST. I think it's a bit unrealistic to require 1.2 when many sy