IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Aaron Parecki <aaron@parecki.com> Wed, 06 October 2021 21:48 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A87E3A0955 for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:48:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RokBZ1hGLik for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 14:48:30 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 133203A0954 for <oauth@ietf.org>; Wed, 6 Oct 2021 14:48:30 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id m20so3741393iol.4 for <oauth@ietf.org>; Wed, 06 Oct 2021 14:48:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2YslHlKWNwJDop1t9R7yH9TYINAFiukFpKlGMTJIsBE=; b=dVApbVHyhVbgejOuUK5aTDAzKN7RWe1aIZecRFz63IpNFenD7pc/l+Zb7oSDYaFXRV SJgNfV5i9ih96FgfeAD1Kgv0AjC0DzX3K2hfurTE5fXFOk9MhcEP2r55Sx/WW/FQLYof RFvkk3F0YxkaMpXmXhbwPZvRwETfABwYIYmDcfBlHeMxnMggqR8fF60nf3AE7VAmWf/2 TpS4Wg4BiJTfYHOU2WsyTyBtQYZQKxS8SHukcBH2mBp5kQGdFXiTQj4XENi5sbcWThSE JTBmc7n4SNIHrKG1qEwRYer7IvdWfZmg4S6EcmEPKe4oZv8r2iCqzYCUGrQxWaw6AycS dK6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2YslHlKWNwJDop1t9R7yH9TYINAFiukFpKlGMTJIsBE=; b=iXytedcSfjH3+oVvpv05ZBnzz/zDo+U61GwqIgvfryOk7cQdcGiTG8LyfCv/f74zt3 0EzTcbQRLY8G7S74aLQobjmtMHQDjrl6mG4vbG5+0KJRbliXTAdzt+4Xnynu0gw+63sZ JXUNImdwGA9SwDSZK9TgLUVl/WpMbT5eyo5y55MDSwQ9AvAvZGcfrl8bYrhVFNwkqqYe cpPdfFJ2Az6Z0ITcO5ASyzrf6QwykFiU7yEqN0lCeXfCDiZBDm3wVbvjgYW7t7XwRInf lbNStcfZJ4oa4qMK/A83ESqzYxW7JKw2zSyEl7YwfuxQF8YJfdTI89NpFYu5ZVBnBDND cYSQ==
X-Gm-Message-State: AOAM533NgUwudgcw6wHsrIoPkOCIt7BbOxE8MN6opauHEKef9EoP+EY4 eiIQpYH1z43hk3pWNCmzPLhp6NrSOl8O2Q==
X-Google-Smtp-Source: ABdhPJxW1/cwu5S1Yfy8L2CxYKTWhkoCvrDxwA/lkRI+6p4zoDK/aYILhpaNK1TM7Wk4zBk1cBvN2Q==
X-Received: by 2002:a02:c9d9:: with SMTP id c25mr87421jap.81.1633556908483; Wed, 06 Oct 2021 14:48:28 -0700 (PDT)
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com. [209.85.166.52]) by smtp.gmail.com with ESMTPSA id n7sm9127262ilo.3.2021.10.06.14.48.27 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 06 Oct 2021 14:48:27 -0700 (PDT)
Received: by mail-io1-f52.google.com with SMTP id y197so4444200iof.11 for <oauth@ietf.org>; Wed, 06 Oct 2021 14:48:27 -0700 (PDT)
X-Received: by 2002:a05:6602:487:: with SMTP id y7mr563133iov.0.1633556907424; Wed, 06 Oct 2021 14:48:27 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com>
In-Reply-To: <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 06 Oct 2021 14:48:16 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com>
Message-ID: <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000030025305cdb61be9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k5BXQZ8eHc4wzicPswPmt1dv2tM>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 21:48:37 -0000

This actually seems like a great time for the OAuth group to start working
on this more closely given the relative stability of this draft as well as
the fact that it is not yet an RFC. This is a perfect time to be able to
influence the draft if needed, rather than wait for it to be finalized and
then have to find a less-than-ideal workaround for something unforeseen.

Aaron

On Wed, Oct 6, 2021 at 2:25 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I meant it is not yet adopted as an RFC.
>
> To be clear, I think you are doing great work on the HTTP Sig doc, and a
> number of concerns I have with HTTP signing have been addressed => I just
> think that doing work in the OAuth WG on a moving and unproven draft in the
> HTTP WG is not a good use of resources in the OAuth WG at this time.
>
>
> ᐧ
>
> On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <jricher@mit.edu> wrote:
>
>> > HTTP Sig looks very promising, but it has not been adopted as a draft
>>
>> Just to be clear, the HTTP Sig draft is an official adopted document of
>> the HTTP Working Group since about a year ago. I would not have suggested
>> we depend on it for a document within this WG otherwise.
>>
>>  — Justin
>>
>> On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> I am not supportive of adoption of this document at this time.
>>
>> I am supportive of the concepts in the document. Building upon existing,
>> widely used, proven security mechanisms gives us better security.
>>
>> HTTP Sig looks very promising, but it has not been adopted as a draft,
>> and as far as I know, it is not widely deployed.
>>
>> We should wait to do work on extending HTTP Sig for OAuth until it has
>> stabilized and proven itself in the field. We have more than enough work to
>> do in the WG now, and having yet-another PoP mechanism is more likely to
>> confuse the community at this time.
>>
>> An argument to adopt the draft would be to ensure HTTP Sig can be used in
>> OAuth.
>> Given Justin and Annabelle are also part of the OAuth community, I'm sure
>> they will be considering how HTTP Sig can apply to OAuth, so the overlap is
>> serving us already.
>>
>> /Dick
>>
>>
>> ᐧ
>>
>> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> I support adoption of this document.
>>>
>>> - Aaron
>>>
>>> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <
>>> rifaat.s.ietf@gmail.com> wrote:
>>>
>>>> All,
>>>>
>>>> As a followup on the interim meeting today, this is a *call for
>>>> adoption *for the *OAuth Proof of Possession Tokens with HTTP Message
>>>> Signature* draft as a WG document:
>>>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
>>>>
>>>> Please, provide your feedback on the mailing list by* October 20th*.
>>>>
>>>> Regards,
>>>>  Rifaat & Hannes
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>

v2.23.0 | Report a Bug | By Email