Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Dick Hardt <dick.hardt@gmail.com> Wed, 06 October 2021 21:09 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA6833A08E5 for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzrClRQRFm4V for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:09:23 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31BAB3A08DE for <oauth@ietf.org>; Wed, 6 Oct 2021 14:09:23 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id y26so16000187lfa.11 for <oauth@ietf.org>; Wed, 06 Oct 2021 14:09:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=efBYtCPrRTBEeKiRlMP/DeW4gk/9pD0uyWCBm2YoXZE=; b=Y+OzlAizoG84LgoQj4Yanxj/jqL8GhzYMphEyNYKwCiUmtgPmr72uQ+D0jnb7epxb9 6t86GoqyYbDm3pstZyjlAafHRldSAXfVULccKCTkQbr0mT6Et7Lf4oB/iwtJg+03Dbcb oi1rcVckherVuTU+3HRsgrgGWqhUN+cNA8pKdd67osjSmzT/adyIJQKU3AzdCPMTGFb+ fbfE1u41to0V3Ir39r2dI8Ca7fdp2Di5z0ukCmhsc3Nmt4DEzxOYdJMyzi5Dm/LAoI/x gTjRELsfRinljnsjc4NQ0FUpy45MY0I+F+3Sw6uoyvTVFgW9I4Pgfa3LrvntiJZ94gcB lgAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=efBYtCPrRTBEeKiRlMP/DeW4gk/9pD0uyWCBm2YoXZE=; b=eWaBf4G9rl8QvPMBI/x8/KM4ZPvi8M99rpfCj2PXptpN+Ghw9XoDbMHgPA6MX+hXrr 1IrDYAShPkzTNW1VqjWDuQNzA4y/FV3uXil2cyqRmzMdmP2qFGgYs139PBPBEFX7Q50D gzyJFtX6WMmbrFoA/PDbP/gUfNSga5GqXSBmTrCI3aE170u/kLQkpASdZ4RZCogl0re5 JlY+U+uPIAl9JALg1I8Txmb+1Iq0Q6yBf0VM8tft41Aa5dRev1+WyZIYug2NA6/f4fmd PCpA9rlln4QUpYzEH/o82FgKldrRu0M+FhETO/NsrTp72d9dnQOHPqp27GpCzCUos8Kp 7rvg==
X-Gm-Message-State: AOAM533ngyMdCYMrm6mNn1DrKdVHALE7seJCqKZqSkg3tbG+XonQTgJK 4u5YVvEeNFHO/IU3quckFsf8zOUwSRYv0vD53s0=
X-Google-Smtp-Source: ABdhPJz8xLjfkKKx3gVNZiZlue8ILnfCAnbXsM4JumqSep55ddB/rs52h4384FSrtgma0Yqu+ervzkpufKHogrFN/0c=
X-Received: by 2002:a05:651c:1250:: with SMTP id h16mr389605ljh.68.1633554560718; Wed, 06 Oct 2021 14:09:20 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com>
In-Reply-To: <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 06 Oct 2021 14:08:44 -0700
Message-ID: <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000501d2c05cdb58fe8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/auxLfMaH8jlMObwmwgNaroKBl-o>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 21:09:28 -0000
I am not supportive of adoption of this document at this time. I am supportive of the concepts in the document. Building upon existing, widely used, proven security mechanisms gives us better security. HTTP Sig looks very promising, but it has not been adopted as a draft, and as far as I know, it is not widely deployed. We should wait to do work on extending HTTP Sig for OAuth until it has stabilized and proven itself in the field. We have more than enough work to do in the WG now, and having yet-another PoP mechanism is more likely to confuse the community at this time. An argument to adopt the draft would be to ensure HTTP Sig can be used in OAuth. Given Justin and Annabelle are also part of the OAuth community, I'm sure they will be considering how HTTP Sig can apply to OAuth, so the overlap is serving us already. /Dick ᐧ On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aaron@parecki.com> wrote: > I support adoption of this document. > > - Aaron > > On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > wrote: > >> All, >> >> As a followup on the interim meeting today, this is a *call for adoption >> *for the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft >> as a WG document: >> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >> >> Please, provide your feedback on the mailing list by* October 20th*. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt