Justin Thanks for this. I am pleased the HTTPbis group took this up. It is a multi-WG issue that needs their expertise.
I look forward to reading the new draft. Cheers, Phil > On Apr 29, 2021, at 8:34 AM, Justin Richer <[email protected]> wrote: > > Many of you will remember an old draft that I was the editor of that defined > OAuth proof of possession methods using HTTP Message Signing. When writing > that draft I invented my own scheme because there wasn’t an existing HTTP > message signature standard that was robust enough for our use cases. I’m > happy to say that the landscape has changed: Annabelle Backman and I have > been working in the HTTP Working Group on HTTP Message Signatures, a > general-purpose HTTP signing draft with a lot of power and a lot of > flexibility. There’s even a relatively straightforward way to map > JOSE-defined signature algorithms into this (even though, to be clear, it is > not JOSE-based). The current draft is here: > > https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html > > This draft has gone through a lot of change in the last few months, but we, > the editors, believe that it’s at a fairly stable place in terms of the core > functioning of the protocol now. It’s not finished yet, but we think that any > changes that come from here will be smaller in scope, more of a cleanup and > clarification than the deep invasive surgery that has happened up until now. > > One of the things about this draft is that, on its own, it is not sufficient > for a security protocol. By design it needs some additional details on where > to get key materials, how to negotiate algorithms, what fields need to be > covered by the signature, etc. I am proposing that we in the OAuth WG replace > the long-since-expired OAuth PoP working group draft with a new document > based on HTTP Message Signatures. I believe that this document can be > relatively short and to the point, given that much of the mechanics would be > defined in the HTTP draft. If this is something we would like to do in the > WG, I am volunteering to write the updated draft. > > I also want to be very clear that I still believe that this lives beside > DPoP, and that DPoP should continue even as we pick this back up. In fact, I > think that this work would take some pressure off of DPoP and allow it to be > the streamlined point solution that it was originally intended to be. > > If the chairs would like, I would also be happy to discuss this at an interim > meeting. > > — Justin > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
