Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Remember token binding? It was a stable draft. The OAuth WG spent a bunch
of cycles building on top of token binding, but token binding did not get
deployed, so no token binding for OAuth.

As I mentioned, I think Justin and Annabelle (and anyone else interested)
can influence HTTP Sig to cover OAuth use cases.

/Dick

ᐧ

On Wed, Oct 6, 2021 at 2:48 PM Aaron Parecki <aaron@parecki.com> wrote:

> This actually seems like a great time for the OAuth group to start working
> on this more closely given the relative stability of this draft as well as
> the fact that it is not yet an RFC. This is a perfect time to be able to
> influence the draft if needed, rather than wait for it to be finalized and
> then have to find a less-than-ideal workaround for something unforeseen.
>
> Aaron
>
> On Wed, Oct 6, 2021 at 2:25 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> I meant it is not yet adopted as an RFC.
>>
>> To be clear, I think you are doing great work on the HTTP Sig doc, and a
>> number of concerns I have with HTTP signing have been addressed => I just
>> think that doing work in the OAuth WG on a moving and unproven draft in the
>> HTTP WG is not a good use of resources in the OAuth WG at this time.
>>
>>
>> ᐧ
>>
>> On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <jricher@mit.edu> wrote:
>>
>>> > HTTP Sig looks very promising, but it has not been adopted as a draft
>>>
>>> Just to be clear, the HTTP Sig draft is an official adopted document of
>>> the HTTP Working Group since about a year ago. I would not have suggested
>>> we depend on it for a document within this WG otherwise.
>>>
>>>  — Justin
>>>
>>> On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>> I am not supportive of adoption of this document at this time.
>>>
>>> I am supportive of the concepts in the document. Building upon existing,
>>> widely used, proven security mechanisms gives us better security.
>>>
>>> HTTP Sig looks very promising, but it has not been adopted as a draft,
>>> and as far as I know, it is not widely deployed.
>>>
>>> We should wait to do work on extending HTTP Sig for OAuth until it has
>>> stabilized and proven itself in the field. We have more than enough work to
>>> do in the WG now, and having yet-another PoP mechanism is more likely to
>>> confuse the community at this time.
>>>
>>> An argument to adopt the draft would be to ensure HTTP Sig can be used
>>> in OAuth.
>>> Given Justin and Annabelle are also part of the OAuth community, I'm
>>> sure they will be considering how HTTP Sig can apply to OAuth, so the
>>> overlap is serving us already.
>>>
>>> /Dick
>>>
>>>
>>> ᐧ
>>>
>>> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> I support adoption of this document.
>>>>
>>>> - Aaron
>>>>
>>>> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <
>>>> rifaat.s.ietf@gmail.com> wrote:
>>>>
>>>>> All,
>>>>>
>>>>> As a followup on the interim meeting today, this is a *call for
>>>>> adoption *for the *OAuth Proof of Possession Tokens with HTTP Message
>>>>> Signature* draft as a WG document:
>>>>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
>>>>>
>>>>> Please, provide your feedback on the mailing list by* October 20th*.
>>>>>
>>>>> Regards,
>>>>>  Rifaat & Hannes
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>