IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Dick Hardt <dick.hardt@gmail.com> Fri, 08 October 2021 21:06 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331873A097B for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.468
X-Spam-Level:
X-Spam-Status: No, score=-0.468 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkJXqIBZnniK for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:06:49 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60A033A097F for <oauth@ietf.org>; Fri, 8 Oct 2021 14:06:49 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id j5so44262386lfg.8 for <oauth@ietf.org>; Fri, 08 Oct 2021 14:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nAN76lG3nKYukG8ICp/1Q5HgHwupE2qQJ/Xno5rrm4o=; b=DS0e6+0V31ObJjXR+ldmQhkESUgfZbWBazpJKkIbulIqTGqcF9JOnJeEUdRlkadSpG qNxTf/EjF9gKDUvC41MK+jt0iCcT1G55IjXT9dDe0gc4P8WYE1xnFEMMla7QwGC8NcQf 8xLd7ipPMsyH0JCEAUa9DTlCxUnVSh3c+G+NGdIwECaXnlzn2oSWz34cp0ata9eh5kae Bg40+N4l/P3MiMdnpvckB6flswbV1x6APyrshUrerY1xvsuS74bNxp0iQafTZff8Svdx o562ySV2wlm1uZULiAqbW53iVT6wKozFE87v0rfba/9bkt+P9cZmtLKKOJhW+DEe5yX9 uA0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nAN76lG3nKYukG8ICp/1Q5HgHwupE2qQJ/Xno5rrm4o=; b=tpgxF8jtq7YvAvvaJtv9p1B5+oPHQMU9G4t7tQPZpqJp0B5S5UciGOfZ5rST2g24nF fIjMp38RP6kgDZnvWRaGygJZvaQ8wCaS0od0tx/qYHWraT0TUida7V4Ni7yyYTdgzan4 rpPRLEZlNPBnhBV/zsc7R4XfZT8zk0WIHS+faqkTwo90XSpNpoiDk2y9MfPpnNpF91zI 0cuaykeTTfgK4YuXDO7ck2j9lx4kE+5ukQIY5mcLtq9ZMflbZRwTp4Moit+En7oDo2zJ 6YTresnua9i2OPuiRSrCha4ORzGUPV+X1RKpiAuyiS3n13Azjdp3VGFSNmuUW2HdPLOl IASw==
X-Gm-Message-State: AOAM532pDIOxj+mKAfA/Y0mfg5T3dtglqWT8nr/4ciMHATZjuM29Tczx VOE9OEPEVDYw1HZvyzr/jVShh2yXO3xgwpv/eWQ=
X-Google-Smtp-Source: ABdhPJzPe+sAsEG20LM01/c0hrn/LXJB4VOfsTX1ZG1KqtOf7mDPpYyMqbY8NF9+IRlk69TJXu2zwB/Z900KC8Ws1pk=
X-Received: by 2002:a2e:984d:: with SMTP id e13mr6139569ljj.392.1633727207359; Fri, 08 Oct 2021 14:06:47 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com>
In-Reply-To: <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 08 Oct 2021 14:06:10 -0700
Message-ID: <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dacb5105cdddc1e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gywni5lAFCXaEaIpf9N9U1IAcQg>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 21:06:54 -0000

inline

On Fri, Oct 8, 2021 at 2:00 PM Richard Backman, Annabelle <
richanna@amazon.com> wrote:

> IE, if the success of HTTP Signing is tied to the OAuth WG adopting the
> draft, then Mike's arguments about the WG already doing this work is valid.
>
>
> It's not the success of HTTP Message Signatures that concerns me here;
> that draft will reach RFC regardless of what the OAuth WG does.
>

Maybe, maybe not. And then having adoption and proving that all the other
concerns raised on the list such as canonicalization challenges are moot.


> But I and others would like to use Message Signatures with OAuth 2.0, and
> would like to have some confidence that there will be a standard,
> interoperable way to do that.
>
> There are other, non-OAuth 2.0 use cases for HTTP Message Signatures. I
> don't see the rationale behind waiting for implementations for completely
> unrelated use cases, or by parties that aren't using OAuth 2.0 for
> authorization. How are they relevant?
>

The proposal is to build upon a general purpose security mechanism. I would
like to see that general purpose security mechanism proven before building
upon it.

/Dick
ᐧ

v2.23.0 | Report a Bug | By Email