1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Replace reference to obsolete RFC7525 with BCP195

Issue #623 resolved
Joseph Heenan created an issue

In the TLS section FAPI2SP references RFC7525, which is now obsolete.

I think we should reference https://www.rfc-editor.org/info/bcp195 directly instead.

Comments (10)

  3. Daniel Fett

    This turned out to be harder than expected:

    • A BCP has no (fixed) title
    • It has no (fixed) set of authors
    • It has no publication date (and we want to explicitly avoid adding one as we want this to be the latest RFC in that series; however, we need a date for the list of references)

    It seems that referencing a BCP without also referring to the latest RFC in that series is not really something people do.

    Also, RFCs in that BCP series do not all serve the same purpose. While RFC 9325 has normative language on cipher suites, RFC 8996 does not. The former updates RFC7525, the latter does not.

    So I suggest that we find some language saying that you should use cipher suites from RFC 9325 or a later publication in the BCP 195 series if we think that that is what we want. If we want a stable spec, we should just go for RFC 9325.

    Let’s discuss.

  4. Joseph Heenan reporter

    I don’t like the “just go for RFC 9325” option.

    Given it will be painful to ever update the spec once we get to final my preference is finding some wording so that when BCP 195 series say “stop using TLS 1.3” that automatically becomes the FAPI2 position without us needing to update anything. I appreciate that’s not particular straightforward though…

  5. Daniel Fett

    Consensus in the call today was to find wording working around the technical limitations of references.

  11. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
FAPI2: Security Profile
Milestone
FINAL
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!