[agree-on-direction] 6.1 TLS requirements shoudl be stated
Right now, it just says HTTP GET or HTTP Redirects.
Perhaps we may want to state some TLS requirements with it.
Comments (8)
-
-
- changed title to [need-guidance] 6.1 TLS requirements shoudl be stated
-
- changed title to [agree-on-direction] 6.1 TLS requirements shoudl be stated
-
- changed status to open
scheme is https, and say that transport must be secure?
and mention TLS1.3/1.2 Best current practice in the security consideration section? (https://datatracker.ietf.org/doc/rfc9325/)
-
The last sentence of https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html#section-2-2 is the text I was thinking about on the call. Not sure it translates well to this context but does convey the intent kinda.
-
this sentence?
DPoP is not, however, a substitute for a secure transport and MUST always be used in conjunction with HTTPS.
? how is this a TLS requirement..? -
ISO mandates
TLS version 1.2 as specified in RFC 5246 and may support TLS version 1.3 as specified in RFC 8446
i am ok with similar
-
- changed status to resolved
PR merged.
- Log in to comment
Should we simply say that TLS requirements of RFC6749 and OIDC Core apply? Or should we update the recommendation to TLS 1.3 since both https://www.rfc-editor.org/rfc/rfc6749.html#section-1.6 and https://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements say