Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Dick Hardt <dick.hardt@gmail.com> Wed, 27 October 2021 16:57 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB29C3A0DB8 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 09:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkJEhF6RmXi5 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 09:57:01 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F0C3A0DB0 for <oauth@ietf.org>; Wed, 27 Oct 2021 09:57:01 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id d23so4424063ljj.10 for <oauth@ietf.org>; Wed, 27 Oct 2021 09:57:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4ZHMoXlM0zPAOvpgoqPpiWEBjjKyKd7jyAmP4WLhFlw=; b=lIf3PkBEpJ4RQ1v1sYwghzJ62AqA5TvzQmSch/5CGvD24xXBSWRctPTEbvgUVqkvqA CdeQzCNyngNx5Db52gfeOLdFusDyHK08C+oO36kLEWdlb0qMKimS2WxAJH03oC/9S7lj 9jUbxz572satC17hAxkUIV8vol5NurYrIL0xZOSc6cuk5RHkV47yyxphCxxYuTfbf+Ff 47WgpC1l4nHyzihV3qmPfCmeb9bcKmjE/lX7wxvwY2Bi5nFhuE4G3ohomLsqUNiCHpbJ MB7RhILdkyiLqDtAgjY8bCrxEPPCAsnT7rUj5u4pmnR3+U8RCn+wBKgPfE+9PjwLOyBg SVUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4ZHMoXlM0zPAOvpgoqPpiWEBjjKyKd7jyAmP4WLhFlw=; b=AZARRRXSiBJvYAbfOvJeAbhtSSOH0XxVNdJLuPj+Kg/+HJS7yktJQorSGKLmxe4ZYn VyziN7o3rP4/PWPRR8JwtvSKsld8PVa07WqqYAbMuVKRCmgSY5FyZ4qQhIWhQ+KzMgfK oDnGtaVURidKEN6WiwUX3HektK7aiUUTNo7tKUdNc+uJTG2GCXgadr/52ZALFxT7RRCL 4HTEIyzURFVx/220su2PYhZjd10iJPCCosWqR4OMRtdE/5j7i9ao2Of6nRi/Qe4va6N9 f+Hw2gma83zEO5IJJgls9QR+WGENme4MZpVrma/MEl6mmFRcb85yAWTnOorQhatOv2KU JhtA==
X-Gm-Message-State: AOAM532ezBJ4vPfW0loHFRKof3+18YLl7lG7TX45EdSJlNwhaPMEYZ7L g4UDEgDbkZRRS/xmf5rRy9b+d3VR7khNL+WzDlDaUStaLJs=
X-Google-Smtp-Source: ABdhPJxSzNrqOk1rv3XxUcmWrYAfgp6RqvHrHEdGp+n78agoUen+8kD5m25DkpGqExOMD7oYlcIpM0rX9jRhC6zTz+0=
X-Received: by 2002:a2e:a494:: with SMTP id h20mr33121573lji.79.1635353817558; Wed, 27 Oct 2021 09:56:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com> <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com> <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com> <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com> <CAJot-L3CiPf0XbTRHPgs71cxfhr2626+vt4XELDSf5nhkj8wdg@mail.gmail.com> <EB86A178-052C-48CD-9F99-63B9173DF7B0@amazon.com> <7618AC29-8221-4FC0-BCF3-199C6BA96FE5@alkaline-solutions.com> <CAJot-L2ztfruwe3L=uQuCYoZ++NTbejv_r3GOL4546q0nOTQPA@mail.gmail.com> <E8AB2162-98DE-452E-A64B-0BCCDC36CECD@amazon.com> <CAD9ie-vrYO+n36Eig28NqfVw0kK6STKYs9MUKY66YGZFR-QKeQ@mail.gmail.com> <359ca6f14b40409abebdf0d9554c195c@oc11expo18.exchange.mit.edu>
In-Reply-To: <359ca6f14b40409abebdf0d9554c195c@oc11expo18.exchange.mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 27 Oct 2021 09:56:20 -0700
Message-ID: <CAD9ie-tsNYcJH2TALCr=fxGmbrhWUChxfWUK5njbdrMeoo9PxA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000060b41b05cf587b01"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/E-vv8ZGhuipkLce0jiAFF3ygZaY>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 16:57:07 -0000
Thanks for pointing out the Oblivious draft Justin. It is interesting, but looks to be focussed on privacy rather than non-repudiation. Was I missing non-repudiation aspects? ᐧ On Sat, Oct 23, 2021 at 4:55 PM Justin Richer <jricher@mit.edu> wrote: > Dick, you would probably be interested in the Oblivious HTTP effort that > has recently been chartered to solve similar encapsulation problems in > HTTP. > > - Justin > ________________________________________ > From: OAuth [oauth-bounces@ietf.org] on behalf of Dick Hardt [ > dick.hardt@gmail.com] > Sent: Friday, October 22, 2021 6:08 PM > To: Richard Backman, Annabelle > Cc: David Waite; oauth > Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth > Proof of Possession Tokens with HTTP Message Signature > > I have a use case for a self contained request that can be independently > verified by multiple parties. IE, not just have PoP at HTTP endpoint, but > by components doing processing further down the line. It also provides > non-repudiation. > > For example, a JWT that is sent as an HTTP payload includes the request > and the access token. > > mTLS, DPoP, and HTTP signing don't provide this functionality > > It is not clear if others have similar requirements, or if there is value > in standardization effort, but I wanted to call out a use case not solved > by the current efforts. > > /Dick > > On Wed, Oct 13, 2021 at 2:55 PM Richard Backman, Annabelle <richanna= > 40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote: > If keeping DPoP simple means we have to have come up with 10 different > variants to handle all the different cases that it doesn't support, then it > isn't keeping it simple, it is just pushing the problem forward to the > implementers to figure out which set of RFCs to implement. > > I'm hoping we can stop at 3: mTLS, DPoP, and Justin's draft. If someone > has use cases that aren't covered by one or more of those, they should > bring those up so we can discuss them and decide what changes are > warranted. (Either here, or in HTTPbis if changes should be made to Message > Signatures) My preference would've been to stop at 2, but the consensus has > not been in favor of expanding the scope of use cases served by DPoP. > > [ > https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=593dd17a-bb93-449b-8126-3b72052d76b2]ᐧ > <https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=593dd17a-bb93-449b-8126-3b72052d76b2]%E1%90%A7> >
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt