1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Editorial: unclear language in TLS Considerations 8.5

Issue #323 resolved
Ralph Bragg created an issue

Because the term BCP195 is only introduced here it isn’t clear that the four permitted cipher suites listed in the previous clause are the only cipher suites allowed under BCP195. Instead this can be be read that you can use additional ciphers included in BCP195 when what it means if you can use ciphers OTHER than those included in BCP195.

Original

  1. For the authorization_endpoint, the authorization server MAY allow additional cipher suites that are permitted by the latest version of [BCP195], if necessary to allow sufficient interoperability with users' web browsers.

Suggest

  1. For the authorization_endpoint, the authorization server MAY allow additional cipher suites other than those permitted by the latest version of [BCP195], if necessary to allow sufficient interoperability with users' web browsers.

This makes it clear that BCP195 is the source of the cipher suite and not that it contains extras apart from the four above.

Comments (9)

  3. Nat Sakimura

    Merged in issue_323 (pull request #198)

    fixes #323 - Editorial: unclear language in TLS Considerations 8.5

    Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Brian Campbell Approved-by: Nat Sakimura Approved-by: Stuart Low Approved-by: Daniel Fett

    → <<cset 19f793326cbb>>

  4. Joseph Heenan
    • changed status to open

    Reopening this, as the new language permits:

    • cipher suites with NULL encryption.
    • RC4 cipher suites.
    • cipher suites offering less than 112 bits of security

    I don't think there's been any evidence put forward that we should allow these things, and it's more than an editorial change.

  10. Log in to comment
Assignee
Type
enhancement
Priority
trivial
Status
resolved
Component
FAPI 1: Advanced
Milestone
Votes
0
Watchers
1
Jira Software: the preferred issue tracker for Bitbucket. Join the team!