Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Justin Richer <jricher@mit.edu> Thu, 14 October 2021 14:51 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34ED3A16E6 for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 07:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOH9gu8kxTxx for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 07:51:04 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7227D3A16E8 for <oauth@ietf.org>; Thu, 14 Oct 2021 07:51:03 -0700 (PDT)
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 19EEp16s006624 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 14 Oct 2021 10:51:02 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <1BCD53C7-4802-42A1-97EE-81C93F54588E@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AC33EE6A-D888-403F-B0E8-53FB7787B3CC"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Thu, 14 Oct 2021 10:51:01 -0400
In-Reply-To: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/usILMZQgBdu2acws4_cSjPIR_ZY>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 14:51:09 -0000
I wanted to jump back to the top of the thread to point out something that seems to be getting missed: This is not a call for adoption of HTTP Message Signatures. That document already exists in the HTTP WG and will be published as an RFC from that group. If you want to have discussions about how the HTTP Message Signatures specification works, come to the HTTP working group for those discussions. This is a call for adoption of an OAuth application of the HTTP Message Signatures spec. Signatures will exist with or without the OAuth WG’s use of it, and I would argue that people are going to attach OAuth access tokens to requests using HTTP Message Signatures whether or not the OAuth WG picks up the work. The question is whether those applications are going to be isolated profiles and silos, like they are today, or whether there can be one way to use them together across different systems. My recommendation is that the OAuth WG define how exactly HTTP Message Signatures should be used with OAuth, which is what this proposal is for. — Justin > On Oct 6, 2021, at 5:01 PM, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > > All, > > As a followup on the interim meeting today, this is a call for adoption for the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ <https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/> > > Please, provide your feedback on the mailing list by October 20th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt