IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Justin Richer <jricher@mit.edu> Wed, 06 October 2021 21:21 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725883A08FD for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhiKgeCzqlHI for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:20:57 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0C8D3A08DA for <oauth@ietf.org>; Wed, 6 Oct 2021 14:20:57 -0700 (PDT)
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 196LKskv014001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 6 Oct 2021 17:20:55 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D74DF851-9975-4E75-B6A5-EF1AE10A64C2"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 06 Oct 2021 17:20:54 -0400
In-Reply-To: <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
To: Dick Hardt <dick.hardt@gmail.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hjjEJnJYBewvetLM916PHPxnvMA>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 21:21:03 -0000

> HTTP Sig looks very promising, but it has not been adopted as a draft

Just to be clear, the HTTP Sig draft is an official adopted document of the HTTP Working Group since about a year ago. I would not have suggested we depend on it for a document within this WG otherwise.

 — Justin

> On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> I am not supportive of adoption of this document at this time. 
> 
> I am supportive of the concepts in the document. Building upon existing, widely used, proven security mechanisms gives us better security.
> 
> HTTP Sig looks very promising, but it has not been adopted as a draft, and as far as I know, it is not widely deployed.
> 
> We should wait to do work on extending HTTP Sig for OAuth until it has stabilized and proven itself in the field. We have more than enough work to do in the WG now, and having yet-another PoP mechanism is more likely to confuse the community at this time.
> 
> An argument to adopt the draft would be to ensure HTTP Sig can be used in OAuth.
> Given Justin and Annabelle are also part of the OAuth community, I'm sure they will be considering how HTTP Sig can apply to OAuth, so the overlap is serving us already.
> 
> /Dick
> 
> 
> ᐧ
> 
> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com>> wrote:
> I support adoption of this document.
> 
> - Aaron
> 
> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
> All,
> 
> As a followup on the interim meeting today, this is a call for adoption for the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG document:
> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ <https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/>
> 
> Please, provide your feedback on the mailing list by October 20th.
> 
> Regards,
>  Rifaat & Hannes
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email