Hi Justin, John, and Hannes Is there an appetite to change the draft in such a way as:
- do not wrap access token itself. It could include at_hash though. Rationale: Pop access token can be pretty large and I do not want to double base64url encode. - perhaps change ts to string to accommodate nonce like string. Essentially, what I want to do is not the http signing but just the pop based client authentication, which is very simple. While I was writing it up, it occurred that if the above modification were done, your draft will be a superset of what I wanted to do. My write up is here: http://bit.ly/oauth-jpop Financial API uses cases needs something like that. (Another possibility is a sender confirmation.) Best, Nat Sakimura -- PLEASE READ :This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail. > -----Original Message----- > From: OAuth [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Tuesday, August 9, 2016 1:34 AM > To: [email protected] > Cc: [email protected] > Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-03.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol of the IETF. > > Title : A Method for Signing HTTP Requests for OAuth > Authors : Justin Richer > John Bradley > Hannes Tschofenig > Filename : draft-ietf-oauth-signed-http-request-03.txt > Pages : 13 > Date : 2016-08-08 > > Abstract: > This document a method for offering data origin authentication and > integrity protection of HTTP requests. To convey the relevant data > items in the request a JSON-based encapsulation is used and the JSON > Web Signature (JWS) technique is re-used. JWS offers integrity > protection using symmetric as well as asymmetric cryptography. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-signed-http-request-03 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
