Would this coming Monday, May 10th @ 12:00 pm ET, work for you? Regards, Rifaat
On Mon, May 3, 2021 at 8:59 AM Justin Richer <[email protected]> wrote: > Hi Rifaat, > > If you’d like to keep the current mondays-at-noon-ET schedule I can > support that. Any Monday this month would work for me, and I’ve reached out > to Annabelle so hopefully she can join as well. I don’t know if I’d be able > to have the rewrite of the OAuth PoP draft in hand by any of those dates, > but the concept is straightforward enough to discuss with or without a > draft. > > Thanks, > — Justin > > On Apr 29, 2021, at 2:51 PM, Rifaat Shekh-Yusef <[email protected]> > wrote: > > Hi Justin, > > Thanks for the update on this, > We would be happy to schedule an interim meeting to discuss this. > Do you have a date in mind? > > Regards, > Rifaat & Hannes > > > > > > On Thu, Apr 29, 2021 at 11:34 AM Justin Richer <[email protected]> wrote: > >> Many of you will remember an old draft that I was the editor of that >> defined OAuth proof of possession methods using HTTP Message Signing. When >> writing that draft I invented my own scheme because there wasn’t an >> existing HTTP message signature standard that was robust enough for our use >> cases. I’m happy to say that the landscape has changed: Annabelle Backman >> and I have been working in the HTTP Working Group on HTTP Message >> Signatures, a general-purpose HTTP signing draft with a lot of power and a >> lot of flexibility. There’s even a relatively straightforward way to map >> JOSE-defined signature algorithms into this (even though, to be clear, it >> is not JOSE-based). The current draft is here: >> >> >> https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html >> >> This draft has gone through a lot of change in the last few months, but >> we, the editors, believe that it’s at a fairly stable place in terms of the >> core functioning of the protocol now. It’s not finished yet, but we think >> that any changes that come from here will be smaller in scope, more of a >> cleanup and clarification than the deep invasive surgery that has happened >> up until now. >> >> One of the things about this draft is that, on its own, it is not >> sufficient for a security protocol. By design it needs some additional >> details on where to get key materials, how to negotiate algorithms, what >> fields need to be covered by the signature, etc. I am proposing that we in >> the OAuth WG replace the long-since-expired OAuth PoP working group draft >> with a new document based on HTTP Message Signatures. I believe that this >> document can be relatively short and to the point, given that much of the >> mechanics would be defined in the HTTP draft. If this is something we would >> like to do in the WG, I am volunteering to write the updated draft. >> >> I also want to be very clear that I still believe that this lives beside >> DPoP, and that DPoP should continue even as we pick this back up. In fact, >> I think that this work would take some pressure off of DPoP and allow it to >> be the streamlined point solution that it was originally intended to be. >> >> If the chairs would like, I would also be happy to discuss this at an >> interim meeting. >> >> — Justin >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
