[OAUTH-WG] Confusing wording in section 2.1
Andrew Arnott <andrewarnott@gmail.com> Fri, 08 April 2011 15:03 UTC
Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 783A13A68DB for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 08:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iuO8Cz5M5RJw for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 08:03:03 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 7C99C3A6876 for <oauth@ietf.org>; Fri, 8 Apr 2011 08:03:03 -0700 (PDT)
Received: by qwc23 with SMTP id 23so2645640qwc.31 for <oauth@ietf.org>; Fri, 08 Apr 2011 08:04:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=wWeM3pRH1xP9+htfsatVgV0jkc4wjnnlOffxj/hKfig=; b=TSrkPvPcOUkouTzzqkKrb2N3NowhNRJaErRBa0Cr/IYAYR+TWQNTA+U4FKrXONSeJn aSDjBx9wmuvR1LNwjp40bm/TfO4aQYGVE+nGYWRSAt1ti3ImHVzarcMUFjbwf1a/XUZ6 YdvCFObI461g1Vl1ABcKveHLQX3MMRxLOCqSc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ByaGlBA2dpQmtz4TxZfAaJ8mUAVN7FF3mKSjV0DMwU5jqpcW/qDiTpWNUOwLcO+l0/ 0xBd9aO59FBavMgGKZx3N7m46qhjr4NDaFvewhdp12iboTqvlfggwXVdsL5syOdX5cpz fPI88n9e4cmnRaOV+kZ3RvO3SPbIZSKcrrJ5o=
MIME-Version: 1.0
Received: by 10.229.71.205 with SMTP id i13mr1843908qcj.279.1302275088665; Fri, 08 Apr 2011 08:04:48 -0700 (PDT)
Received: by 10.229.224.70 with HTTP; Fri, 8 Apr 2011 08:04:48 -0700 (PDT)
Date: Fri, 08 Apr 2011 08:04:48 -0700
Message-ID: <BANLkTi=rcMTaKSijUpuUk=D09cAACj2Usw@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0016e64fcc5a0f4e7304a0698c9b"
Subject: [OAUTH-WG] Confusing wording in section 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 15:03:04 -0000
Draft 15, section 2.1 Since requests to the authorization endpoint result in user > authentication and the transmission of clear-text credentials (in the > HTTP response), the authorization server MUST require the use of a > transport-layer security mechanism when sending requests to the token > endpoints. The authorization server MUST support TLS 1.2 as defined > in [RFC5246], and MAY support additional transport-layer mechanisms > meeting its security requirements. > > I'm confused by the fact that token endpoints must use HTTPS due to a trait of the authorization endpoint. Am I missing something here, or is this perhaps a misprint? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo
- [OAUTH-WG] Confusing wording in section 2.1 Andrew Arnott
- Re: [OAUTH-WG] Confusing wording in section 2.1 Eran Hammer-Lahav