Dear all, I recently stumbled on the I-D for OAuth2.1 and I found the parts related to the usage of TLS quite confusing, as they reference different TLS-related RFCs in various parts of the document. I tried to stub a PR here https://github.com/aaronpk/oauth-v2-1/pull/30 but while writing, I had a lot of doubts which were not solved just by reading https://tools.ietf.org/html/draft-ietf-httpbis-bcp56bis-09 So the question: - which is the correct way to specify the use of TLS in a new I-D ? - Is referencing BCP195 and RFC2818 enough for addressing all the security issues? BCP195 Recommendations for Secure Use of TLS [1] for example does not mention interactions with HTTP (eg. RFC8740). - should we add something on this in bcp56bis? Thanks for your help and have a nice day, R. [1]: https://www.rfc-editor.org/info/bcp195Received on Wednesday, 17 February 2021 09:59:28 UTC
This archive was generated by hypermail 2.4.0 : Wednesday, 17 February 2021 09:59:29 UTC