-
assigned issue to
Standard - 2.3 TLS 1.2 Required?
Issue #447
resolved
In OAuth list, people were pointing out that only TLS 1.0 is implementable right now as Apache/OpenSSL released version only supports it.
Comments (4)
-
-
If all Connect specs require the mostly same TLS and X.509 requirement, Messages may have a dedicated section for the standard secure transport requirement used in Connect and others refer it.
-
- changed status to resolved
Fixed
#447Standard - 2.3 TLS 1.2 Required? -
Fix
#447Standard - 2.3 TLS 1.2 Required? - Log in to comment
The current OAuth text is:
The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 <xref target='RFC5246' /> is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 <xref target='RFC2246' /> is the most widely deployed version, and will give the broadest interoperability.
We will follow the OAuth text.