Justin Richer <jricher@mit.edu> Mon, 20 January 2020 16:51 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0955A1208FA for <oauth@ietfa.amsl.com>; Mon, 20 Jan 2020 08:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ese40jn9Ci_0 for <oauth@ietfa.amsl.com>; Mon, 20 Jan 2020 08:51:36 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73E841208E8 for <oauth@ietf.org>; Mon, 20 Jan 2020 08:51:36 -0800 (PST)
Received: from [] ([]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00KGpYSK024596 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <oauth@ietf.org>; Mon, 20 Jan 2020 11:51:35 -0500
From: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <6589BCE0-7710-4E2C-8E41-73BC28F8BCCA@mit.edu>
Date: Mon, 20 Jan 2020 11:51:34 -0500
To: oauth <oauth@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6NrcMRwxiux4M8_-Mz_r6HZLWAY>
Subject: [OAUTH-WG] HTTP Signing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 16:51:40 -0000

As many of you know, Annabelle and I have put forward a general-purpose HTTP Signing specification in the HTTP Working Group, at least initially based on the old Cavage signatures spec that’s been used in the wild. We expect a number of important changes to happen as it goes through the standards process (which is to say, we aren’t approaching this to get a stamp on existing code), including some key things that would allow it to be used for more advanced OAuth proof of possession work. I would fully expect that a fairly small profile of this new signature document would be sufficient for OAuth PoP tokens, replacing the expired draft-ietf-http-signatures spec. 

As I said in Singapore, I think that there’s room for this kind of thing alongside DPoP, which is much more focused and constrained than this is trying to be. 

The new draft is currently going through its call for adoption within the HTTP WG, and if you have any interest in this work moving forward, please join the thread on the HTTP list to show your support for the draft. The Call For Adoption is currently open and runs through Jan 31.

 — Justin