[Openid-specs-risc] Do you have a need for SET delivery to non-HTTPS endpoints?
Mike Jones
Michael.Jones at microsoft.com
Tue Jun 9 19:49:53 UTC 2020
There's a discussion in the IETF SecEvent working group at present about whether to restrict SET delivery using the draft-ietf-secevent-http-push<https://tools.ietf.org/html/draft-ietf-secevent-http-push-11> and draft-ietf-secevent-http-poll<https://tools.ietf.org/html/draft-ietf-secevent-http-poll-10> specs to only allow delivery over HTTPS (TLS) connections. At present, it's unclear whether pure HTTP is also allowed. The specs do say that if SETs are delivered over a channel that doesn't provide integrity protection, that they must be signed and/or encrypted to provide this protection.
The discussion is happening in the thread "Re: [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09". Given that this working group is using the SET delivery specs, I wanted to bring this choice that will be made soon to your attention.
-- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200609/9981d02f/attachment.html>
More information about the Openid-specs-risc
mailing list