[agree-on-direction] 6.1 TLS requirements shoudl be stated

Kristina Yasuda

Should we simply say that TLS requirements of RFC6749 and OIDC Core apply? Or should we update the recommendation to TLS 1.3 since both https://www.rfc-editor.org/rfc/rfc6749.html#section-1.6 and https://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements say

At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has a very limited deployment base and might not be readily available for implementation. TLS version 1.0 [RFC2246] is the most widely deployed version and will provide the broadest interoperability.

‌

2022-10-11T21:44:31+00:00

Kristina Yasuda

changed title to [need-guidance] 6.1 TLS requirements shoudl be stated

2022-10-13T05:10:33+00:00

Kristina Yasuda

changed title to [agree-on-direction] 6.1 TLS requirements shoudl be stated

2022-10-13T05:11:02+00:00

Kristina Yasuda

changed status to open

scheme is https, and say that transport must be secure?

and mention TLS1.3/1.2 Best current practice in the security consideration section? (https://datatracker.ietf.org/doc/rfc9325/)

2023-01-12T15:56:14+00:00

Brian Campbell

The last sentence of https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html#section-2-2 is the text I was thinking about on the call. Not sure it translates well to this context but does convey the intent kinda.

2023-01-12T15:59:38+00:00

Kristina Yasuda

this sentence? DPoP is not, however, a substitute for a secure transport and MUST always be used in conjunction with HTTPS.? how is this a TLS requirement..?

2023-06-16T03:10:00+00:00

Kristina Yasuda

ISO mandates TLS version 1.2 as specified in RFC 5246 and may support TLS version 1.3 as specified in RFC 8446

i am ok with similar

2023-07-20T08:34:04+00:00

Kristina Yasuda

changed status to resolved

PR merged.

2023-08-24T16:08:11+00:00

Comments (8)