IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 08 October 2021 21:01 UTC

Return-Path: <prvs=9087326c9=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5453A0D71 for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.047
X-Spam-Level:
X-Spam-Status: No, score=-10.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxwOjotjX_Um for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:01:09 -0700 (PDT)
Received: from smtp-fw-9103.amazon.com (smtp-fw-9103.amazon.com [207.171.188.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEF753A0C6D for <oauth@ietf.org>; Fri, 8 Oct 2021 14:00:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1633726843; x=1665262843; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=5179uTBiEin8rhUDyFaNAQ0zgrqFrdICIduBbhnu/aE=; b=DzNyqnlhRUAvvWLz6K1NkHqE8WwM/R3F4b+A/BTa2RGlJq+g92h0piiH xF4XuNFom/6+AacpQJ6hjxQhPwEY1MXWlz8xHu94D4iyN2Cvel8IFQ5Lq Kc+qh3479DByFmJCGIBVCP+uk+AUN/gTwxJFGGKSsDqr+H8eaJ7+QJo8r s=;
X-IronPort-AV: E=Sophos;i="5.85,358,1624320000"; d="scan'208,217";a="963533516"
Thread-Topic: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-98691110.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-9103.sea19.amazon.com with ESMTP; 08 Oct 2021 21:00:41 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-98691110.us-east-1.amazon.com (Postfix) with ESMTPS id 3112981962; Fri, 8 Oct 2021 21:00:39 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 8 Oct 2021 21:00:38 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 8 Oct 2021 21:00:36 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.023; Fri, 8 Oct 2021 21:00:36 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Dick Hardt <dick.hardt@gmail.com>
CC: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Thread-Index: AQHXuvWVTQTkcIrcmUG+kwSuqkjn9qvGdXKAgAABUwCAAANnAIAAARQAgAAGkQCAAAHwAIAC/q6AgAAPFwCAAAejAA==
Date: Fri, 08 Oct 2021 21:00:36 +0000
Message-ID: <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com>
In-Reply-To: <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.147]
Content-Type: multipart/alternative; boundary="_000_A312C40333414B29AEB3B547E9A802E7amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sWTMtXWBE-fY7edDAYj5FEMNkHg>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 21:01:22 -0000

IE, if the success of HTTP Signing is tied to the OAuth WG adopting the draft, then Mike's arguments about the WG already doing this work is valid.

It's not the success of HTTP Message Signatures that concerns me here; that draft will reach RFC regardless of what the OAuth WG does. But I and others would like to use Message Signatures with OAuth 2.0, and would like to have some confidence that there will be a standard, interoperable way to do that.

There are other, non-OAuth 2.0 use cases for HTTP Message Signatures. I don't see the rationale behind waiting for implementations for completely unrelated use cases, or by parties that aren't using OAuth 2.0 for authorization. How are they relevant?

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Oct 8, 2021, at 1:33 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


On Fri, Oct 8, 2021 at 12:39 PM Richard Backman, Annabelle <richanna@amazon.com<mailto:richanna@amazon.com>> wrote:

Blocking WG development of an OAuth 2.0 profile of Message Signatures behind widespread deployment of Message Signatures risks creating a deadlock where the WG is waiting for implementations from would-be implementers who are waiting for guidance from the WG. Worse, rejecting the draft is likely to further discourage these parties from implementing Message Signatures, as it suggests the WG is not interested in standardizing its usage with OAuth 2.0.

If the main use case for HTTP Signing is the OAuth WG, then effectively the OAuth WG is developing HTTP Signing and it is not really a general purpose standard.

IE, if the success of HTTP Signing is tied to the OAuth WG adopting the draft, then Mike's arguments about the WG already doing this work is valid.



[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=052c9f85-ef8e-44d3-aca8-40ffb9bce5ef]ᐧ

v2.23.0 | Report a Bug | By Email