Many of you will remember an old draft that I was the editor of that defined
OAuth proof of possession methods using HTTP Message Signing. When writing that
draft I invented my own scheme because there wasn’t an existing HTTP message
signature standard that was robust enough for our use cases. I’m happy to say
that the landscape has changed: Annabelle Backman and I have been working in
the HTTP Working Group on HTTP Message Signatures, a general-purpose HTTP
signing draft with a lot of power and a lot of flexibility. There’s even a
relatively straightforward way to map JOSE-defined signature algorithms into
this (even though, to be clear, it is not JOSE-based). The current draft is
here:
https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html
<https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html>
This draft has gone through a lot of change in the last few months, but we, the
editors, believe that it’s at a fairly stable place in terms of the core
functioning of the protocol now. It’s not finished yet, but we think that any
changes that come from here will be smaller in scope, more of a cleanup and
clarification than the deep invasive surgery that has happened up until now.
One of the things about this draft is that, on its own, it is not sufficient
for a security protocol. By design it needs some additional details on where to
get key materials, how to negotiate algorithms, what fields need to be covered
by the signature, etc. I am proposing that we in the OAuth WG replace the
long-since-expired OAuth PoP working group draft with a new document based on
HTTP Message Signatures. I believe that this document can be relatively short
and to the point, given that much of the mechanics would be defined in the HTTP
draft. If this is something we would like to do in the WG, I am volunteering to
write the updated draft.
I also want to be very clear that I still believe that this lives beside DPoP,
and that DPoP should continue even as we pick this back up. In fact, I think
that this work would take some pressure off of DPoP and allow it to be the
streamlined point solution that it was originally intended to be.
If the chairs would like, I would also be happy to discuss this at an interim
meeting.
— Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
