Re: [OAUTH-WG] Call for Adoption: DPoP

"Richard Backman, Annabelle" <> Fri, 20 March 2020 21:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0B6C73A0E93 for <>; Fri, 20 Mar 2020 14:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MIB7_6h3GwUu for <>; Fri, 20 Mar 2020 14:06:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CCE3A3A0E8E for <>; Fri, 20 Mar 2020 14:06:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1584738391; x=1616274391; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=SWKIrcnowirh0pJE7xRrKUGc/q6+90assZxSCvwZTVg=; b=MwIEQZ3hQyaIqRlARBcUNCcKWw1LRdimaETftfB3IB5im3pUN3I4x7Ji UXBDHXgPmJmjyjvf78x9qi9TEoYUa73jnIPaWeG/fFOCEbi0iUjf/56YQ IvfiLTiPPX6lvegt1afYGJGSEz8A9WypgSHqdIPYDsTm6Irx8ZX8NIhh1 k=;
IronPort-SDR: e1cw7qgPIdZNsUP9Or13r9O48WwOTvba/FABXR3ueM+QA+muHQg6galFlqVuTf13J93sfMw46J tAXLngPjZP1w==
X-IronPort-AV: E=Sophos; i="5.72,285,1580774400"; d="scan'208,217"; a="22002884"
Thread-Topic: [OAUTH-WG] Call for Adoption: DPoP
Received: from (HELO ([]) by with ESMTP; 20 Mar 2020 21:06:18 +0000
Received: from ( []) by (Postfix) with ESMTPS id 5E916A2CA9; Fri, 20 Mar 2020 21:06:16 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 20 Mar 2020 21:06:15 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 20 Mar 2020 21:06:15 +0000
Received: from ([]) by ([]) with mapi id 15.00.1497.006; Fri, 20 Mar 2020 21:06:15 +0000
From: "Richard Backman, Annabelle" <>
To: Justin Richer <>, Rifaat Shekh-Yusef <>
CC: oauth <>
Thread-Index: AQHV/FatAH1enDA9v02MgXWBm3JiXKhNTJmAgAQ8KYA=
Date: Fri, 20 Mar 2020 21:06:15 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_D318E3287B8746E3853927ED153BEB21amazoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] Call for Adoption: DPoP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Mar 2020 21:06:33 -0000


I support adoption of DPoP, and echo Justin’s sentiment that there remains room for further work.

Annabelle Backman (she/her)
AWS Identity

From: OAuth <> on behalf of Justin Richer <>
Date: Tuesday, March 17, 2020 at 2:26 PM
To: Rifaat Shekh-Yusef <>
Cc: oauth <>
Subject: RE: [EXTERNAL] [OAUTH-WG] Call for Adoption: DPoP

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


I support adoption of DPoP. I have written an implementation of its current state for a client and implemented its signature mechanism in another project (without the rest of the protocol, fwiw).

Now, speaking as the editor of the group’s previous general-purpose http signature draft (for use with the general purpose PoP architecture) and co-editor of the new HTTP working group http signature draft, I still think that there’s room for both of these implementations out there. DPoP is simple and focused, it should do one thing and do it well. And the energies that are looking for a more general solution should help us make the wider HTTP Signature spec work across all those use cases.

 — Justin

On Mar 17, 2020, at 8:20 AM, Rifaat Shekh-Yusef <<>> wrote:


As per the conclusion of the PoP interim meeting, this is a call for adoption for the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) document:

Please, let us know if you support or object to the adoption of this document as a working group document by March 31st.

 Rifaat & Hannes
OAuth mailing list<>