Re: [OAUTH-WG] HTTP Message Signing and OAuth PoP

Justin Richer <> Mon, 03 May 2021 12:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 010993A100D for <>; Mon, 3 May 2021 05:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zJSnNJLT6zeX for <>; Mon, 3 May 2021 05:59:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 77A873A1007 for <>; Mon, 3 May 2021 05:59:47 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 143CxidQ009175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 3 May 2021 08:59:44 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0808DA12-CFB3-4892-A663-A00DB0996698"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Mon, 03 May 2021 08:59:44 -0400
In-Reply-To: <>
Cc: oauth <>
To: Rifaat Shekh-Yusef <>
References: <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] HTTP Message Signing and OAuth PoP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 May 2021 12:59:52 -0000

Hi Rifaat,

If you’d like to keep the current mondays-at-noon-ET schedule I can support that. Any Monday this month would work for me, and I’ve reached out to Annabelle so hopefully she can join as well. I don’t know if I’d be able to have the rewrite of the OAuth PoP draft in hand by any of those dates, but the concept is straightforward enough to discuss with or without a draft.

 — Justin

> On Apr 29, 2021, at 2:51 PM, Rifaat Shekh-Yusef <> wrote:
> Hi Justin,
> Thanks for the update on this,
> We would be happy to schedule an interim meeting to discuss this. 
> Do you have a date in mind?
> Regards,
>  Rifaat & Hannes
> On Thu, Apr 29, 2021 at 11:34 AM Justin Richer < <>> wrote:
> Many of you will remember an old draft that I was the editor of that defined OAuth proof of possession methods using HTTP Message Signing. When writing that draft I invented my own scheme because there wasn’t an existing HTTP message signature standard that was robust enough for our use cases. I’m happy to say that the landscape has changed: Annabelle Backman and I have been working in the HTTP Working Group on HTTP Message Signatures, a general-purpose HTTP signing draft with a lot of power and a lot of flexibility. There’s even a relatively straightforward way to map JOSE-defined signature algorithms into this (even though, to be clear, it is not JOSE-based). The current draft is here:
> <>
> This draft has gone through a lot of change in the last few months, but we, the editors, believe that it’s at a fairly stable place in terms of the core functioning of the protocol now. It’s not finished yet, but we think that any changes that come from here will be smaller in scope, more of a cleanup and clarification than the deep invasive surgery that has happened up until now.
> One of the things about this draft is that, on its own, it is not sufficient for a security protocol. By design it needs some additional details on where to get key materials, how to negotiate algorithms, what fields need to be covered by the signature, etc. I am proposing that we in the OAuth WG replace the long-since-expired OAuth PoP working group draft with a new document based on HTTP Message Signatures. I believe that this document can be relatively short and to the point, given that much of the mechanics would be defined in the HTTP draft. If this is something we would like to do in the WG, I am volunteering to write the updated draft.
> I also want to be very clear that I still believe that this lives beside DPoP, and that DPoP should continue even as we pick this back up. In fact, I think that this work would take some pressure off of DPoP and allow it to be the streamlined point solution that it was originally intended to be.
> If the chairs would like, I would also be happy to discuss this at an interim meeting.
>  — Justin
> _______________________________________________
> OAuth mailing list
> <>
> <>