Re: [OAUTH-WG] Call for Adoption: DPoP

Justin Richer <jricher@mit.edu> Tue, 17 March 2020 21:25 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E16333A07AA for <oauth@ietfa.amsl.com>; Tue, 17 Mar 2020 14:25:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ev20f2IqDeB9 for <oauth@ietfa.amsl.com>; Tue, 17 Mar 2020 14:25:58 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553593A07A9 for <oauth@ietf.org>; Tue, 17 Mar 2020 14:25:57 -0700 (PDT)
Received: from [192.168.1.5] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 02HLPrbO000815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 17 Mar 2020 17:25:53 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <BBDA3FD2-BA24-4256-968A-FC268799306E@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E4DDCBC1-24CE-4268-B248-90E4C93EC2A2"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 17 Mar 2020 17:25:53 -0400
In-Reply-To: <CAGL6epKuWNXypWMsTQLocX6WqbyQkAE=128gJkKPuOqBzk97Hg@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
References: <CAGL6epKuWNXypWMsTQLocX6WqbyQkAE=128gJkKPuOqBzk97Hg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q9ghbVg8aDdaAYLwdwJbPL5cVho>
Subject: Re: [OAUTH-WG] Call for Adoption: DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2020 21:26:00 -0000

+1

I support adoption of DPoP. I have written an implementation of its current state for a client and implemented its signature mechanism in another project (without the rest of the protocol, fwiw). 

Now, speaking as the editor of the group’s previous general-purpose http signature draft (for use with the general purpose PoP architecture) and co-editor of the new HTTP working group http signature draft, I still think that there’s room for both of these implementations out there. DPoP is simple and focused, it should do one thing and do it well. And the energies that are looking for a more general solution should help us make the wider HTTP Signature spec work across all those use cases.

 — Justin

> On Mar 17, 2020, at 8:20 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote:
> 
> All,
> 
> As per the conclusion of the PoP interim meeting, this is a call for adoption for the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) document:
> https://datatracker.ietf.org/doc/draft-fett-oauth-dpop/ <https://datatracker.ietf.org/doc/draft-fett-oauth-dpop/>
>  
> Please, let us know if you support or object to the adoption of this document as a working group document by March 31st.
> 
> Regards,
>  Rifaat & Hannes
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth