[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OAUTH-WG] OAuth 1.0 PLAINTEXT without SSL/TLS

From: Eran Hammer-Lahav <eran at hueniverse.com>
To: "OAuth WG (oauth at ietf.org)" <oauth at ietf.org>, "oauth at googlegroups.com" <oauth at googlegroups.com>
Date: Fri, 8 Jan 2010 19:15:21 -0700

I no longer think there is a valid reason why the OAuth 1.0 specification does not mandate using a secure channel with PLAINTEXT, and I would like to make this change from SHOULD to MUST in the RFC draft [1].

Is there anyone using OAuth PLAINTEXT *not* over TLS/SSL? Is there a *good* reason why the 1.0 specification should not mandate using a secure channel for PLAINTEXT? If someone really wants to use it without, it's a free country but I can't think of any reason.

The only reason not to make the change is if there are existing deployed use cases where PLAINTEXT is used in such a way. If there are none after two years, we should not allow it moving forward.

EHL

[1] http://tools.ietf.org/html/draft-hammer-oauth

Follow-Ups:
- Re: [OAUTH-WG] [oauth] OAuth 1.0 PLAINTEXT without SSL/TLS
  - From: John Kemp
- Re: [OAUTH-WG] OAuth 1.0 PLAINTEXT without SSL/TLS
  - From: Igor Faynberg

Prev by Date: Re: [OAUTH-WG] [oauth] Talking about what's up with OAuth
Next by Date: Re: [OAUTH-WG] OAuth 1.0 PLAINTEXT without SSL/TLS
Previous by thread: [OAUTH-WG] Talking about what's up with OAuth
Next by thread: Re: [OAUTH-WG] OAuth 1.0 PLAINTEXT without SSL/TLS
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.