Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Domingos Creado <domingos.creado@authlete.com> Fri, 08 October 2021 19:49 UTC
Return-Path: <domingos.creado@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 933DE3A126D for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 12:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyH9FhXqRzgX for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 12:49:10 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A03A3A1267 for <oauth@ietf.org>; Fri, 8 Oct 2021 12:49:10 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id c33so7489336uae.9 for <oauth@ietf.org>; Fri, 08 Oct 2021 12:49:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dp9P3PVNb8LYG4WvM2ojjEwecdCDb0dc/sjBydQWPGo=; b=wsUcXulMjiNvRTr2Iasmts1I6+cJ/ZA2VRiS6FQuBqE8eYT95wD5Ne0aGGy2aKl71O QFQcfT+nHFW/nVx1emAgQjyeKmDGek74LiL3NYlOdC+nhwMpsV78KicPlmWT2sZkdus6 Zg+D/B07b9qGg4owZpzBIXIFNnQt8sVJHm4/MdSmNaM7p7p+dGu5AdGD0mCtNVEurQsF aF6DuvG/F/5fFG1zcTNYHtuQ/wsGFzlkZf9c37CDKFU+pKjkSnQKYPB1D82axoKPOwu1 H99o3GudHp75pt5giCkVtu5hFkprUawUfsk6F5mndrI7a/1L4euNMe19/eKE2qN8eveL gqVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dp9P3PVNb8LYG4WvM2ojjEwecdCDb0dc/sjBydQWPGo=; b=d0MDoMYKooKqLo/Ky+OQ/sU8Z/RMTZmemoq62Yvw0ads3TtbwZmbnKUtJahVAaTEFK 3JHEs9huejX7cbQaBNuQutCEO8JKuhb3p8clYrglcwiw5nMqDUDWAuAaDPSg+puzhMR3 gtfNpiXVRDAkGUmTay3xpDU4Sy3jsYR44nv46T8yLPPXwmArq2+XmEbGPKc8G1gJPYn5 ffBTS67Fx3zNT3o46wF3gzGOipiV19jkbjnxpdWwrO8HhcGq3icHDB5iqRHf53pAeyvc 5jpO89g4HQBvHIZUNIgYQwE6BEZl/QWC1UXxCoG47V8kHPpj/BRw5T3uGdOvLPZBf95W 7TGg==
X-Gm-Message-State: AOAM532N4Vnn2n16/lozXO4pdp/nR96ZznBz2BPBwivwIG4myySK7/qs mh0IunhluVUjbd3HfqBDCT00LFl8Lmv7n2zsIpEHB8hTu/8qAQ==
X-Google-Smtp-Source: ABdhPJx+oYfgPcnoLRdVf8yrlvv373WLLIWyfaszlwHSso/6VgoNtHRB26zWr10E2a1rL3XEqbWke2zAm+6ijGgrLm0=
X-Received: by 2002:ab0:6f92:: with SMTP id f18mr5456004uav.50.1633722549194; Fri, 08 Oct 2021 12:49:09 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR00MB100552D20760C9E0438A63CBF5B29@SJ0PR00MB1005.namprd00.prod.outlook.com> <584D6D3A-8A5F-4245-BA0D-5F1F5C8EDA6C@mit.edu>
In-Reply-To: <584D6D3A-8A5F-4245-BA0D-5F1F5C8EDA6C@mit.edu>
From: Domingos Creado <domingos.creado@authlete.com>
Date: Fri, 08 Oct 2021 16:48:57 -0300
Message-ID: <CAFtv1m5FfR3fJshsGswVH5Ssgpm4gO+AFVR4RkcsSGHmC5172Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034e1f605cddcac97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pGjxDimQRL4VXE4Oa8Ldg_MPRMg>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 19:49:16 -0000
"This draft is actually significantly simpler than DPoP precisely because it is not defining an HTTP signing mechanism. " that is my understanding as well, but I was afraid to start a flame war :D On Fri, Oct 8, 2021 at 4:23 PM Justin Richer <jricher@mit.edu> wrote: > Hi Mike, > > One of the major benefits of this proposed draft is that it does not try > to solve the problem of HTTP message signing — which is a huge problem unto > itself. When I wrote the original draft-ietf-oauth-signed-http-request, I > wasn’t able to write it to depend on a general-purpose HTTP signing spec > and so it had to invent a mechanism. OAuth 1 worked on signing just query > parameters and lots of things in the front-channel, and so invented its own > mechanism. > > Now that the HTTP working group is well on the way to standardizing the > HTTP Message Signatures draft as a general-purpose RFC, the OAuth working > group doesn’t need to solve that problem anymore, and that’s a really, > really good thing. We aren’t the right community to get that right, and the > two previous failed attempts you point to prove that better than anything. > That’s exactly why this draft is NOT going to do that, at all. HTTP Message > Signing exists, people are implementing it and using it. It makes sense for > the OAuth working group to define a way to use that work in an OAuth > context. We are not and should not try again to define a way to sign HTTP > messages. > > That said, we know that DPoP invents its own way to sign an HTTP message, > in a limited fashion. It has clear limitations — it doesn’t sign query > parameters (which are likely to be important to many API types), it doesn’t > sign headers, it doesn’t sign the body, etc. Even with these limitations, > DPoP is useful, and I still argue that instead of trying to extend DPoP > with a bunch of other things, we should let it exist as the clean point > solution that it is. > > This draft is actually significantly simpler than DPoP precisely because > it is not defining an HTTP signing mechanism. > > — Justin > > On Oct 8, 2021, at 2:24 PM, Mike Jones < > Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote: > > *I do not support adoption* of this draft. OAuth 1 failed because of the > complexity of HTTP Signing and the resulting difficulty of achieving > interop. draft-ietf-oauth-signed-http-request was abandoned by the working > group recognizing that it was resurrecting equivalent complexity to OAuth > 1. The proposed new draft is a third crack at the same thing that’s not > sufficiently differentiated from the previous failed efforts in my mind to > warrant us spending time on it. > > Also, note we do have draft-ietf-oauth-dpop, which solves the actual > proof-of-possession problem for OAuth in a narrowly targeted, focused > manner. That draft is active and in good shape. We don’t need a more > general, more complicated draft solving the same problem. > > -- Mike > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Rifaat Shekh-Yusef > *Sent:* Wednesday, October 6, 2021 2:02 PM > *To:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] Call for Adoption - OAuth Proof of Possession > Tokens with HTTP Message Signature > > All, > > As a followup on the interim meeting today, this is a *call for adoption *for > the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft > as a WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ > > Please, provide your feedback on the mailing list by* October 20th*. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt