The SHOULD here wasn't about TLS vs. QUIC, but rather about whether the authenticator or authenticator request needs to be kept confidential. There are potential situations where this isn't strictly necessary, so I think SHOULD is appropriate.
I've updated the draft here:
Best,
Nick
On Wed, Dec 9, 2020 at 10:43 PM Martin Thomson <mt@xxxxxxxxxxxxxx> wrote:
On Thu, Dec 10, 2020, at 14:30, Sean Turner wrote:
> OLD:
>
> The application layer protocol
> used to send the authenticator request SHOULD use TLS as its
> underlying transport to keep the request confidential
>
> NEW:
>
> The application layer protocol
> used to send the authenticator request SHOULD use a secure
> channel with equivalent security to TLS, such as
> QUIC [ID.draft-ietf-quic-tls], as its underlying transport
> to keep the request confidential
Hi Sean, Any reason this can't become a MUST now? Once you require comparable channel security, a stronger requirement seems pretty reasonable.
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
