oauth-v2-1 icon indicating copy to clipboard operation
oauth-v2-1 copied to clipboard

Published 20 hours ago verified publisher icon oauth-wg

Token encryption cannot replace TLS. See #64

Open ioggstream opened this issue 2 years ago • 0 comments

This PR

  • token encryption can't replace TLS unless similar requirements are implemented (integrity, privacy, authenticity) ;
  • suggest using TLS along the way, even when using TLS terminators;
  • MUST does not define here a specific requirement

Note

Some mitigation measure express strict requirements (e.g. MUST NIT store in insecure cookies). IMHO that's ok, but in this case it's more than mitigation, since an implementation that does not respect these is non conformant.

ioggstream avatar Jul 21 '22 11:07 ioggstream