IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Mike Jones <Michael.Jones@microsoft.com> Fri, 08 October 2021 18:24 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6BCF3A0CDB for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 11:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3vn4d9bUwXT for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 11:24:39 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-oln040093003010.outbound.protection.outlook.com [40.93.3.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC81A3A0CD5 for <oauth@ietf.org>; Fri, 8 Oct 2021 11:24:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j/syOuZpH3sujoegG1MG2h4xTZ82oF5CaUVrqsNOcz4qmefFjN/C1PhU9TldDOqf07lcyB9WOEM9crFdyoeRq13h6NhbrVFcu2JxxBm3QSvVDLpEdUcMcLNF/jhmHD8YqoJldyI59qM1Rb7OBcCPGur5E3ox6ThSvkIvRqzq7nqptjsp3/v/w37rQir/wDIncZc54C4QSgKciwMwhUlRhDhZ4kcedXfCSK2EK3twgFpwEsZiyEagCSX8Rmhjuz36gihjdH4L/2/ZeAHoQbq5DFNWx5byMZ89Qo4bSmlFfKsQlF9w9qWuUDO5jmWhN0KuKsn0hvzEz6h3E5IRR0z3bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zl2MnZku0el+lhcf1YPDR+VOc3UQ9XWOCkqrHW/KiWQ=; b=UISu9ITrfb2AYAoWwgK7Th9AxyOCuUI8rA9ChWdc9eYaXpleXCXdPI7lHV1tb6ndXhLv6ymV/IByFWk21p7hXB1GIiWMDavRVSS3s50gx9W/u2USYt6kJPs3GbzzSuo8k8VUlGghT2iGZIIR/Bf81UIGH2LY7XcQLheA9rCjXzeIqv0bQ0AJlEbeCUq/c28Q7i6qB3jUntI3HOjC07dUurn/9RFyj5n7xrtiaDIiM8EowTcky9nWmL8jT2JhMmfUYs9x4TBQYQ7RMMZi56AIHJRiaeVa2RQE48C6EyjZdQx93pGfLDqOHU20Eypd+V2miLIW+Oe2jaS13Ph0+wghZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zl2MnZku0el+lhcf1YPDR+VOc3UQ9XWOCkqrHW/KiWQ=; b=C15JEH9VvlmZOHHvSYeIkB/jJcVwvCgzaSQvDPpZ1oiMdkETtkRuSty85rSMXarG/3aWd5tA+A0H4rt1tmRRzKSGCRBJzg5Kk/XDCYiLuQanxoz16toubm7jxG/zV1SpkJUvR0B5F4HPQEEMlk6/D7j77S3DS/oRA6t9FdhcBFA=
Received: from SJ0PR00MB1005.namprd00.prod.outlook.com (2603:10b6:a03:2d3::18) by BY5PR00MB0673.namprd00.prod.outlook.com (2603:10b6:a03:20a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4629.0; Fri, 8 Oct 2021 18:24:31 +0000
Received: from SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::116a:85d4:841d:57cc]) by SJ0PR00MB1005.namprd00.prod.outlook.com ([fe80::116a:85d4:841d:57cc%7]) with mapi id 15.20.4624.000; Fri, 8 Oct 2021 18:24:30 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "rifaat.s.ietf@gmail.com" <rifaat.s.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Thread-Index: Ade8cbbriv5P/mnZSwG+P99yZdqVtQ==
Date: Fri, 08 Oct 2021 18:24:30 +0000
Message-ID: <SJ0PR00MB100552D20760C9E0438A63CBF5B29@SJ0PR00MB1005.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-08T18:14:05Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=0e776b51-f825-4dac-ba80-7418f7ed6a96; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bad0ea40-d7e4-4729-e66c-08d98a88dee8
x-ms-traffictypediagnostic: BY5PR00MB0673:
x-microsoft-antispam-prvs: <BY5PR00MB0673D298EFBF25F1C5F4F3A2F5B29@BY5PR00MB0673.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H9QJblqJlp/T41OC2rjFdVyy/Pq288srlF78pBHricwl/aelAfF4BlFL333plJyi4dPRDnZp2fgL6Iudsao9INlujyZSXcRM8ZTt4TBAvnOQalNC0rxQR7ZjCNihnZb1afDXE/Uxl4ooJbbKw/NTK/Q0fVggMqyPl1fZqoycEhow/Ox5ganXo1dL84YwMVz9eQv/JBDOs13aD/QtXF4lS4fUqhAgP1YoXGLSmYWtW6aJ9xpmGAjgmG3RAompjod5jBf+XOFFeEhNzK0a3Twgc7JUcfAq6Dz9nUSKeoRpH+/znS6o1TMpaUXy7FqGg2KUNPIUTRTqcNrA6Ar1rQIjKTP/gJkutkvNt1oCM43HqHleglVLDmCWWXWFAhjYCYkLxghw36z6SLl5qNapq7yyKEhnQoW/z9+iNKfX92L0G3wf0KOtuQoX/DXCCnQxAtAB09LmFgovJA/WcUInz+XXYw9KqUh0lAY/aV6M3zvjKSWflr1t0Za4TBebwrXkKZlHXrjTlTZVb0cPOrvm2HE62tlrmDZJefD9EzwQd928c9c6E5AADpGRmIONmdW2azbIZKQuxRnUeMjizU4mGwmG4jJ8UAWP+PBF9HD8DyawZOSlT76pctFGLL6u6HZS0Q07Z7WWPL627/c+EQIoRPvXZJCXL8mvZ91/M4CxRaYoI2NI6eGPjPSGSYi0fwWy0KaA2l/Ol8V5bUbpnVU+xXskksOr0LWSvuE7bvaOjvmPVc+TurvlHLryXgCDQzGR1wsWBI6loG9Wsk/Vv6N9x4+1vorLmMxlvtDiqQalROCmSb0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1005.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(110136005)(316002)(66946007)(76116006)(83380400001)(66446008)(64756008)(66556008)(66476007)(71200400001)(966005)(7696005)(508600001)(10290500003)(5660300002)(53546011)(6506007)(86362001)(9686003)(52536014)(82960400001)(82950400001)(2906002)(166002)(122000001)(38100700002)(15650500001)(33656002)(8990500004)(38070700005)(8676002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iScZv5be/+WdO7gdGwE8A7e9XrNhRm9K0HzcrRL6lk8wV5trjOxfpi6vS2Bl86NfFVY0aPaggq+fbD6v+zw1hV8nE9OkR+nvPfAx6lvGBxlo8W/Bjv0DG57w/fF++CWJcZA3wpQdCdAk1NVQEIL/c0e28r9t1VJYIv9uRYi7gVqQ/y2EdwxXq0Ft0qkVIT25khYNp14/K1iRYxOsr34FrrbWlW3clZ8lCGvGTJMchxMdpbH056uWXMavJ/RgVQ0s+RNN0q4Svuv8ZjtL2KJVjkCRTjh3c8HQYtQgmLAjbfxLxLTXw2Pog/ITztm7uTw6M7CFNzRibzew3sr1Oq9Z132Thxhl24QAO2m17Aek7lHCQ14JqhpL2OK7S2iopSK6WbHv3VPSLgApG7AIGLl076UMTIiqwLA3cyvfRrXm5dOmBiXOoAymyNA1UtOb6nce8z2zKr5BqjlxZpDKEre7+Ed/ord8+x/no9Dvt2/hUoKumOFwQsyxh2FIgUExWtGoVkvw7ijWnzkan7IH97CzaVIwcoRz1IZf11c8DKALYM48XSGUQF4TMxeIVNlMHvELdOydcLe156jh9Zx+F3d7fvD8Xh8+xRH8suQDI/EWW56E02lAE7YBk9yGPw3uSLfEAWmm6L9ofUwMpcGtNnV2lYzZOdqT0oOnS6HfGDi5KQ6wHpvYSZ9l1eCj+/E0trkyJllG+ZqnuY4XtMPgQdYCS532nxJRyHvb+nXhfCWlfq1S2T2ZBLLBgkM5YUFCxnUJZhKE6PW6Z68UgnKqRJR73Dad/4z6J+PWGoDVclusamr3zUHQ/7cTIsyzztOQZoJqeV9o7iwWjjh2wrj50YMxhCCjEycVQGFAo3+yeyYYoHEetGcHowbXzlqc/1Bb3EB49kVJ/JDxQUwYb2n0hoUrtaIfL5vuFponFdeMc2dMnofvlcIGEB8m/OBokWBa9A2gvrlzMiIXeff7zl6j6ePXTmqd6CelYZbWGB999ebQxQaXYzXbjWsUjUTyIixSK3I1TZMbX8YKojL7YsWHiX+pEkV6+d2w19P/cfatuwyMsj7u+8GcWDuN6HOzwh1O0k5dJTGWTMiv4s1QVwlR9tTbi0WlVaxpIDGRqNrudW5DO8y9drLiJkOh0TM7YTIWQQjMu/SwhP9McWaTClVb9a22Lyqf1ZqI9R7J81MzyYtThYMqFwaO/GsNmPPo5zqL1Vw2yBcSlfpDCcMCnxArEfUN3mz3egbYg3Tb2mqXRO1UYLhkxLwc0QDG0v4UVqE7+frFu16qQBUIxV03rhAAkf7O6WlxvsoYZpF4UXv/LhFk50ebQOPOs6780MUoqYj4GImBDl4vRL/OAt/rqfPoR2K15U6SssxJQjx73Trf37W8rs4E2t7q75ESzTmPccx62y5guUNBDBc48Yq2keCWle8psURsK8sQLM2vyo9+MYPDYK9k/wG+ZUHs97+M8rG+7/aCiDE2wwmZ03VJu5oUjlQmOlUwq3D2V2MUNU+cQ4urCegM3VOo9rtz9NPAx/fRO4j6onbIsDREAZg4WC47G0gBX/SxdB65qL0NJWp0kPJckTM/1nxjdu2vty1pscZ8JDbmak4vVhVmf5av87bJ8dJfqrxu/bfRB53CXj98WxavkLN1MCpm682gy2lQ6iOnVbR+eYxJ5yCSPeCoGbIkSBhselkKP0Csyl0Eq5QhK8Nlrxg=
Content-Type: multipart/alternative; boundary="_000_SJ0PR00MB100552D20760C9E0438A63CBF5B29SJ0PR00MB1005namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1005.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bad0ea40-d7e4-4729-e66c-08d98a88dee8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2021 18:24:30.8591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8fI1XvFu4FZUF0VAcf9uRmbpTOAdjXS8XITdJC5wXDn+6eOGibQi+3vwojN4GIYpHSK2F9BahEs2f1aDTdc2Jg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR00MB0673
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wfB3i817LPth8LKeDfqjcntEJVM>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 18:24:44 -0000

I do not support adoption of this draft.  OAuth 1 failed because of the complexity of HTTP Signing and the resulting difficulty of achieving interop.  draft-ietf-oauth-signed-http-request was abandoned by the working group recognizing that it was resurrecting equivalent complexity to OAuth 1.  The proposed new draft is a third crack at the same thing that’s not sufficiently differentiated from the previous failed efforts in my mind to warrant us spending time on it.

Also, note we do have draft-ietf-oauth-dpop, which solves the actual proof-of-possession problem for OAuth in a narrowly targeted, focused manner.  That draft is active and in good shape.  We don’t need a more general, more complicated draft solving the same problem.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Wednesday, October 6, 2021 2:02 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

All,

As a followup on the interim meeting today, this is a call for adoption for the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/

Please, provide your feedback on the mailing list by October 20th.

Regards,
 Rifaat & Hannes

v2.23.0 | Report a Bug | By Email