1. OpenID Foundation
  2. connect
  3. Issues
Issue #447 resolved

Standard - 2.3 TLS 1.2 Required?

Nat Sakimura
created an issue

In OAuth list, people were pointing out that only TLS 1.0 is implementable right now as Apache/OpenSSL released version only supports it.

Comments (4)

  1. Michael Jones

    The current OAuth text is:

    The authorization server MUST implement TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 <xref target='RFC5246' /> is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 <xref target='RFC2246' /> is the most widely deployed version, and will give the broadest interoperability.

    We will follow the OAuth text.

  2. hideki nara

    If all Connect specs require the mostly same TLS and X.509 requirement, Messages may have a dedicated section for the standard secure transport requirement used in Connect and others refer it.

  3. Log in to comment