Re: [OAUTH-WG] HTTP Message Signing and OAuth PoP

Phillip Hunt <> Thu, 29 April 2021 16:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B90FF3A10DB for <>; Thu, 29 Apr 2021 09:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IV0DjW-ax_UB for <>; Thu, 29 Apr 2021 09:13:36 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5F1D13A415D for <>; Thu, 29 Apr 2021 09:13:36 -0700 (PDT)
Received: by with SMTP id y30so2321687pgl.7 for <>; Thu, 29 Apr 2021 09:13:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=dngPwQA7fnCn2e56ZpkhKybPQFhmXUUGKp1pfodtaUw=; b=R9GoCErAdTTG17e340hxP4n/Hx7yfZa3eOLsot6pdJ8B1J42qo0mPqcBkCj0kdKFMx KiYRKjmNGMatjPB2EutjSNmIzpZ+9chpEWBPz5wyjm3WY5CqJIeqex5j11Ly/+6UGItP buqG250/PQH+3VrquoF1nx+NfpgrvvIYERroxeIr94bZcuh5WUT1/iLMVl/stQTcIG5a F4DTHiqt5vtYIe6fZC2ztESaIA7bWZme4BN4V14C44nBdq59kFGjXJBGQHzl5Euy07GS +q/NIEJ49mOUWN2iroJ5tg/mySPFSQAE47SzMaH/yf79V22MwuJGd+MpZvK9E49CapxP v84g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=dngPwQA7fnCn2e56ZpkhKybPQFhmXUUGKp1pfodtaUw=; b=PVm294eGkdjUlQGa2bUwyQsjWzjhGdFwIiYqCh1yxanBDOzOpg2DHt2oMcSyYWHXF5 FBhdjjWwZM/UiKtuguIKKy+M4/RDUYTbHR4zG3VVUwA6Ijsu7H5ceFzpOCXu+09gOupr 1b8GH2U3GJCmywfhVMuomamtFtTGNfVui8wrfmfXxany9K7EPj5X1N5U/UvmfVP7jbpo mxpNaOOw8BdJ+18mh0h+HvdVh8QFaXpdS0wqjXuQHcYSrooUZuqnh9EuWkVp0z213rkv BsD0YrDHeMupP4P6PSevRYeYRjcw428pbttVt3g4+7eK27clEtkOWVhz4btyAMnmrjEf xq5w==
X-Gm-Message-State: AOAM5323a2htntEa3vaUsZIAADelD0591Caryt73B/r+hRYg4/cSYhSR sSROqDuAvSp5zjgSAE1etxVlQJWTtVC6TA==
X-Google-Smtp-Source: ABdhPJzZdIsCb2UV4cyZrYsqsCc5Kx6f96y+GhlZxdkfwO+KYo+QX+l3YNIRnupxh+GJ7ZgfiC1bjg==
X-Received: by 2002:a63:f258:: with SMTP id d24mr463801pgk.174.1619712814710; Thu, 29 Apr 2021 09:13:34 -0700 (PDT)
Received: from ?IPv6:2001:569:7a71:1d00:8837:96a:f01b:baae? ( [2001:569:7a71:1d00:8837:96a:f01b:baae]) by with ESMTPSA id mp3sm2734581pjb.15.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Apr 2021 09:13:34 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-EB3D11EF-0A52-40BA-97F3-F98DF48AFDFB
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <>
Mime-Version: 1.0 (1.0)
Date: Thu, 29 Apr 2021 09:13:33 -0700
Message-Id: <>
References: <>
Cc: oauth <>
In-Reply-To: <>
To: Justin Richer <>
X-Mailer: iPhone Mail (18D70)
Archived-At: <>
Subject: Re: [OAUTH-WG] HTTP Message Signing and OAuth PoP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Apr 2021 16:13:41 -0000


Thanks for this. I am pleased the HTTPbis group took this up. It is a multi-WG issue that needs their expertise. 

I look forward to reading the new draft.



> On Apr 29, 2021, at 8:34 AM, Justin Richer <> wrote:
> Many of you will remember an old draft that I was the editor of that defined OAuth proof of possession methods using HTTP Message Signing. When writing that draft I invented my own scheme because there wasn’t an existing HTTP message signature standard that was robust enough for our use cases. I’m happy to say that the landscape has changed: Annabelle Backman and I have been working in the HTTP Working Group on HTTP Message Signatures, a general-purpose HTTP signing draft with a lot of power and a lot of flexibility. There’s even a relatively straightforward way to map JOSE-defined signature algorithms into this (even though, to be clear, it is not JOSE-based). The current draft is here:
> This draft has gone through a lot of change in the last few months, but we, the editors, believe that it’s at a fairly stable place in terms of the core functioning of the protocol now. It’s not finished yet, but we think that any changes that come from here will be smaller in scope, more of a cleanup and clarification than the deep invasive surgery that has happened up until now.
> One of the things about this draft is that, on its own, it is not sufficient for a security protocol. By design it needs some additional details on where to get key materials, how to negotiate algorithms, what fields need to be covered by the signature, etc. I am proposing that we in the OAuth WG replace the long-since-expired OAuth PoP working group draft with a new document based on HTTP Message Signatures. I believe that this document can be relatively short and to the point, given that much of the mechanics would be defined in the HTTP draft. If this is something we would like to do in the WG, I am volunteering to write the updated draft.
> I also want to be very clear that I still believe that this lives beside DPoP, and that DPoP should continue even as we pick this back up. In fact, I think that this work would take some pressure off of DPoP and allow it to be the streamlined point solution that it was originally intended to be.
> If the chairs would like, I would also be happy to discuss this at an interim meeting.
>  — Justin
> _______________________________________________
> OAuth mailing list