[bcp56bis] Using TLS in HTTP API specification from Roberto Polli on 2021-02-17 (ietf-http-wg@w3.org from January to March 2021)

From: Roberto Polli <robipolli@gmail.com>
Date: Wed, 17 Feb 2021 10:59:02 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: "Salz, Rich" <rsalz@akamai.com>, andrea@teamdigitale.governo.it
Message-ID: <CAP9qbHUgVUp4DPVwYen0_aV13SsC2z4sUb6qtbSA1QzjxP-2dg@mail.gmail.com>

Dear all,

I recently stumbled on the I-D for OAuth2.1 and I found
the parts related to the usage of TLS quite confusing,
as they reference different TLS-related RFCs in various
parts of the document.

I tried to stub a PR here https://github.com/aaronpk/oauth-v2-1/pull/30
but while writing, I had a lot of doubts which were not solved just by reading
https://tools.ietf.org/html/draft-ietf-httpbis-bcp56bis-09

So the question:

- which is the correct way to specify the use of TLS
  in a new I-D ?
- Is referencing BCP195 and RFC2818 enough for addressing all the
security issues?
  BCP195 Recommendations for Secure Use of TLS [1] for example does not mention
  interactions with HTTP (eg. RFC8740).
- should we add something on this in bcp56bis?

Thanks for your help and have a nice day,
R.

[1]: https://www.rfc-editor.org/info/bcp195

Received on Wednesday, 17 February 2021 09:59:28 UTC