Hi Rifaat, If you’d like to keep the current mondays-at-noon-ET schedule I can support that. Any Monday this month would work for me, and I’ve reached out to Annabelle so hopefully she can join as well. I don’t know if I’d be able to have the rewrite of the OAuth PoP draft in hand by any of those dates, but the concept is straightforward enough to discuss with or without a draft.
Thanks, — Justin > On Apr 29, 2021, at 2:51 PM, Rifaat Shekh-Yusef <[email protected]> > wrote: > > Hi Justin, > > Thanks for the update on this, > We would be happy to schedule an interim meeting to discuss this. > Do you have a date in mind? > > Regards, > Rifaat & Hannes > > > > > > On Thu, Apr 29, 2021 at 11:34 AM Justin Richer <[email protected] > <mailto:[email protected]>> wrote: > Many of you will remember an old draft that I was the editor of that defined > OAuth proof of possession methods using HTTP Message Signing. When writing > that draft I invented my own scheme because there wasn’t an existing HTTP > message signature standard that was robust enough for our use cases. I’m > happy to say that the landscape has changed: Annabelle Backman and I have > been working in the HTTP Working Group on HTTP Message Signatures, a > general-purpose HTTP signing draft with a lot of power and a lot of > flexibility. There’s even a relatively straightforward way to map > JOSE-defined signature algorithms into this (even though, to be clear, it is > not JOSE-based). The current draft is here: > > https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html > <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html> > > This draft has gone through a lot of change in the last few months, but we, > the editors, believe that it’s at a fairly stable place in terms of the core > functioning of the protocol now. It’s not finished yet, but we think that any > changes that come from here will be smaller in scope, more of a cleanup and > clarification than the deep invasive surgery that has happened up until now. > > One of the things about this draft is that, on its own, it is not sufficient > for a security protocol. By design it needs some additional details on where > to get key materials, how to negotiate algorithms, what fields need to be > covered by the signature, etc. I am proposing that we in the OAuth WG replace > the long-since-expired OAuth PoP working group draft with a new document > based on HTTP Message Signatures. I believe that this document can be > relatively short and to the point, given that much of the mechanics would be > defined in the HTTP draft. If this is something we would like to do in the > WG, I am volunteering to write the updated draft. > > I also want to be very clear that I still believe that this lives beside > DPoP, and that DPoP should continue even as we pick this back up. In fact, I > think that this work would take some pressure off of DPoP and allow it to be > the streamlined point solution that it was originally intended to be. > > If the chairs would like, I would also be happy to discuss this at an interim > meeting. > > — Justin > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
