[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] Mandatory signature algorithms?

From: Breno <breno.demedeiros at gmail.com>
To: Eran Hammer-Lahav <eran at hueniverse.com>
Cc: "oauth at ietf.org" <oauth at ietf.org>
Date: Fri, 25 Sep 2009 08:09:29 -0700
In-reply-to: <90C41DD21FB7C64BB94121FBBC2E72343784D58C87 at P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <6c0fd2bc0909220634sb5334fcw1890569fd84ece09 at mail.gmail.com> <4ABBE85C.3030301 at jkemp.net> <90C41DD21FB7C64BB94121FBBC2E72343784D58C87 at P3PW5EX1MB01.EX1.SECURESERVER.NET>

This is another argument against trying to do better than TLS, since OAuth does not define its own encryption transport mechanism.

Insecurity concerns about TLS are quite manageable by those who care about security. You can profile TLS at your will. For instance, to make your FF compliant with FIPS-140-2 TLS profile, follow the instructions here:

http://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2?style_mode=inproduct&s=cipher%20suites

On Thu, Sep 24, 2009 at 7:53 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote:

The one method I am sure we are going to support is a plaintext method.

--
Breno de Medeiros

Follow-Ups:
- Re: [OAUTH-WG] Mandatory signature algorithms?
  - From: Blaine Cook

References:
- [OAUTH-WG] Mandatory signature algorithms?
  - From: Hubert Le Van Gong
- Re: [OAUTH-WG] Mandatory signature algorithms?
  - From: John Kemp
- Re: [OAUTH-WG] Mandatory signature algorithms?
  - From: Eran Hammer-Lahav

Prev by Date: Re: [OAUTH-WG] Fwd: Mandatory signature algorithms?
Next by Date: Re: [OAUTH-WG] OAuth and HTTP caching
Previous by thread: Re: [OAUTH-WG] Mandatory signature algorithms?
Next by thread: Re: [OAUTH-WG] Mandatory signature algorithms?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.