The latest draft shows TLS 1.2 as a MUST (sections 3.1 and 3.2). Based
on a thread about this from last year I was under the impression that it
was going to be relaxed to a SHOULD with most likely TLS 1.0 (or
posssibly SSLv3) as a MUST. I think it's a bit unrealistic to require
1.2 when many sy
I wanted to follow up on this and see if there was any consideration to
relaxing this requirement. Can someone actually point me to a compliant
implementation using TLS 1.2 because after looking at a number of them,
I have yet to find one that does.
Rob
On 8/12/11 3:56 PM, Rob Richards wrote
an Hammer-Lahav wrote:
We should relax it. Just need someone to propose new language.
EHL
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Justin Richer
Sent: Tuesday, August 16, 2011 12:49 PM
To: Rob Richards
Cc: oauth@ietf.org
Subject: Re: [OA
On 8/18/11 2:31 PM, Eran Hammer-Lahav wrote:
-Original Message-
From: Rob Richards [mailto:rricha...@cdatazone.org]
Sent: Tuesday, August 16, 2011 1:34 PM
The authorization server SHOULD support TLS 1.2 as defined in [RFC5246] but
at a minimum MUST support TLS 1.0 as defined in [RFC2246
Please refer to this thread about the problem with requiring anything
more than TLS 1.0
http://www.ietf.org/mail-archive/web/oauth/current/msg07234.html
You will end up with a spec that virtually no one can implement and be
in conformance with. I still have yet to find an implementation out in
I'm saying that it's very difficult for someone to implement an AS that
implements TLS 1.2. TLS 1.2 is not supported in the a good number of
systems people deploy on. For example, the use of Apache and OpenSSL
accounts for a good number of web servers out there. The only way to
deploy a conform
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the same
text in both places:
OLD
The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD
support TLS 1.2 ([RFC5246]) and its future replacements, and MAY
support additional transport
57 PM, Stephen Farrell wrote:
On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
On 12/1/11 1:09 PM, Rob Richards wrote:
On 11/28/11 10:39 PM, Barry Leiba wrote:
The OAuth base doc refers in two places to TLS versions (with the
same text in both places:
OLD
The authorization server MUST support TL
I think you nailed it which that statement. Up until now it as been back
and forth about one or the other. Personally I prefer to used layered
security and not relying on a single point of attack. It's unrealistic
to say everyone is going to want/need/be able to use (take your pick)
signed/encr
Wouldn't it make sense to require the oauth_version parameter under 2.0
for resource calls so that the two versions can be distinguished?
Rob
Paul Lindner wrote:
If you're routing requests with a load balancer it's not so trivial.
Instead of a substring match you're talking about a regex wit
com>> wrote:
It's easy to detect version when calling a protected resource. In
OAuth 2.0 you only have one token parameter whereas 1.0 has a variety
of parameters including a signature.
--David
On Mon, Jun 14, 2010 at 9:05 AM, Rob Richards
mailto:rricha...
I still think that the issue of running both 1.0 and 2.0 on an resource
endpoint needs to be addressed in the spec. It is unrealistic to think
that a provider currently running 1.0 can just do a complete cutover to
2.0 and shut down 1.0 access, or providers arbitrarily making the
decision what
Versioning is still something that needs to be addressed before being
being able to consider the draft core complete.
On this I'm still of the opinion that at the very minimum you will need
to require an oauth_version parameter for the resource endpoints, if not
also for the others as well.
Ro
Eran Hammer-Lahav wrote:
-Original Message-
From: Marius Scurtescu [mailto:mscurte...@google.com]
Sent: Thursday, July 01, 2010 10:37 AM
To: Eran Hammer-Lahav
Cc: Rob Richards; OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Versioning
On Thu, Jul 1, 2010 at 9:35 AM, Eran Hammer
om: Marius Scurtescu [mailto:mscurte...@google.com]
Sent: Thursday, July 01, 2010 11:16 AM
To: Eran Hammer-Lahav
Cc: William Mills; Rob Richards; oauth@ietf.org
Subject: Re: [OAUTH-WG] Versioning
On Thu, Jul 1, 2010 at 10:59 AM, Eran Hammer-Lahav
wrote:
Why is a version better than a new s
Eran Hammer-Lahav wrote:
[Replying to everything at once...]
-Original Message-
From: Rob Richards [mailto:rricha...@cdatazone.org]
Sent: Thursday, July 01, 2010 11:43 AM
Exactly. While it might be needed in the future, there is a need to
differentiate OAuth 1.0 from 2.0
st focus on the getting a
migration spec written so that there is at least something official on
this topic. On that note are there any guidelines, howtos, etc.. on
writing a spec?
Rob
-Original Message-
From: Rob Richards [mailto:rricha...@cdatazone.org]
Sent: Friday, July 02,
Finally getting a chance to catchup and respond to this thread.
Marius Scurtescu wrote:
See comments bellow...
On Fri, Jul 9, 2010 at 4:27 AM, Stefanie Dronia wrote:
Hallo Marius,
thanks for your statement.
Your idea of a migration flow is quite good and necessary.
But I still doubt, if
On 7/14/10 6:33 PM, Marius Scurtescu wrote:
On Wed, Jul 14, 2010 at 11:46 AM, Rob Richards wrote:
Finally getting a chance to catchup and respond to this thread.
Marius Scurtescu wrote:
See comments bellow...
On Fri, Jul 9, 2010 at 4:27 AM, Stefanie Dronia wrote:
Hallo Marius,
thanks
, Rob Richards wrote:
Finally getting a chance to catchup and respond to this thread.
Marius Scurtescu wrote:
See comments bellow...
On Fri, Jul 9, 2010 at 4:27 AM, Stefanie Dronia wrote:
Hallo Marius,
thanks for your statement.
Your idea of a migration flow is quite good and necessary.
But
20 matches
Mail list logo
