Hi Justin, Thanks for the update on this, We would be happy to schedule an interim meeting to discuss this. Do you have a date in mind?
Regards, Rifaat & Hannes On Thu, Apr 29, 2021 at 11:34 AM Justin Richer <[email protected]> wrote: > Many of you will remember an old draft that I was the editor of that > defined OAuth proof of possession methods using HTTP Message Signing. When > writing that draft I invented my own scheme because there wasn’t an > existing HTTP message signature standard that was robust enough for our use > cases. I’m happy to say that the landscape has changed: Annabelle Backman > and I have been working in the HTTP Working Group on HTTP Message > Signatures, a general-purpose HTTP signing draft with a lot of power and a > lot of flexibility. There’s even a relatively straightforward way to map > JOSE-defined signature algorithms into this (even though, to be clear, it > is not JOSE-based). The current draft is here: > > > https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html > > This draft has gone through a lot of change in the last few months, but > we, the editors, believe that it’s at a fairly stable place in terms of the > core functioning of the protocol now. It’s not finished yet, but we think > that any changes that come from here will be smaller in scope, more of a > cleanup and clarification than the deep invasive surgery that has happened > up until now. > > One of the things about this draft is that, on its own, it is not > sufficient for a security protocol. By design it needs some additional > details on where to get key materials, how to negotiate algorithms, what > fields need to be covered by the signature, etc. I am proposing that we in > the OAuth WG replace the long-since-expired OAuth PoP working group draft > with a new document based on HTTP Message Signatures. I believe that this > document can be relatively short and to the point, given that much of the > mechanics would be defined in the HTTP draft. If this is something we would > like to do in the WG, I am volunteering to write the updated draft. > > I also want to be very clear that I still believe that this lives beside > DPoP, and that DPoP should continue even as we pick this back up. In fact, > I think that this work would take some pressure off of DPoP and allow it to > be the streamlined point solution that it was originally intended to be. > > If the chairs would like, I would also be happy to discuss this at an > interim meeting. > > — Justin > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
