I have requested a session for this coming Monday, May 10th @ 12:00 pm ET. An announcement should be coming soon.
Regards, Rifaat On Wed, May 5, 2021 at 7:54 AM Rifaat Shekh-Yusef <[email protected]> wrote: > Would this coming Monday, May 10th @ 12:00 pm ET, work for you? > > Regards, > Rifaat > > > On Mon, May 3, 2021 at 8:59 AM Justin Richer <[email protected]> wrote: > >> Hi Rifaat, >> >> If you’d like to keep the current mondays-at-noon-ET schedule I can >> support that. Any Monday this month would work for me, and I’ve reached out >> to Annabelle so hopefully she can join as well. I don’t know if I’d be able >> to have the rewrite of the OAuth PoP draft in hand by any of those dates, >> but the concept is straightforward enough to discuss with or without a >> draft. >> >> Thanks, >> — Justin >> >> On Apr 29, 2021, at 2:51 PM, Rifaat Shekh-Yusef <[email protected]> >> wrote: >> >> Hi Justin, >> >> Thanks for the update on this, >> We would be happy to schedule an interim meeting to discuss this. >> Do you have a date in mind? >> >> Regards, >> Rifaat & Hannes >> >> >> >> >> >> On Thu, Apr 29, 2021 at 11:34 AM Justin Richer <[email protected]> wrote: >> >>> Many of you will remember an old draft that I was the editor of that >>> defined OAuth proof of possession methods using HTTP Message Signing. When >>> writing that draft I invented my own scheme because there wasn’t an >>> existing HTTP message signature standard that was robust enough for our use >>> cases. I’m happy to say that the landscape has changed: Annabelle Backman >>> and I have been working in the HTTP Working Group on HTTP Message >>> Signatures, a general-purpose HTTP signing draft with a lot of power and a >>> lot of flexibility. There’s even a relatively straightforward way to map >>> JOSE-defined signature algorithms into this (even though, to be clear, it >>> is not JOSE-based). The current draft is here: >>> >>> >>> https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-04.html >>> >>> This draft has gone through a lot of change in the last few months, but >>> we, the editors, believe that it’s at a fairly stable place in terms of the >>> core functioning of the protocol now. It’s not finished yet, but we think >>> that any changes that come from here will be smaller in scope, more of a >>> cleanup and clarification than the deep invasive surgery that has happened >>> up until now. >>> >>> One of the things about this draft is that, on its own, it is not >>> sufficient for a security protocol. By design it needs some additional >>> details on where to get key materials, how to negotiate algorithms, what >>> fields need to be covered by the signature, etc. I am proposing that we in >>> the OAuth WG replace the long-since-expired OAuth PoP working group draft >>> with a new document based on HTTP Message Signatures. I believe that this >>> document can be relatively short and to the point, given that much of the >>> mechanics would be defined in the HTTP draft. If this is something we would >>> like to do in the WG, I am volunteering to write the updated draft. >>> >>> I also want to be very clear that I still believe that this lives beside >>> DPoP, and that DPoP should continue even as we pick this back up. In fact, >>> I think that this work would take some pressure off of DPoP and allow it to >>> be the streamlined point solution that it was originally intended to be. >>> >>> If the chairs would like, I would also be happy to discuss this at an >>> interim meeting. >>> >>> — Justin >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
