This actually seems like a great time for the OAuth group to start working on this more closely given the relative stability of this draft as well as the fact that it is not yet an RFC. This is a perfect time to be able to influence the draft if needed, rather than wait for it to be finalized and then have to find a less-than-ideal workaround for something unforeseen.
Aaron On Wed, Oct 6, 2021 at 2:25 PM Dick Hardt <[email protected]> wrote: > I meant it is not yet adopted as an RFC. > > To be clear, I think you are doing great work on the HTTP Sig doc, and a > number of concerns I have with HTTP signing have been addressed => I just > think that doing work in the OAuth WG on a moving and unproven draft in the > HTTP WG is not a good use of resources in the OAuth WG at this time. > > > ᐧ > > On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <[email protected]> wrote: > >> > HTTP Sig looks very promising, but it has not been adopted as a draft >> >> Just to be clear, the HTTP Sig draft is an official adopted document of >> the HTTP Working Group since about a year ago. I would not have suggested >> we depend on it for a document within this WG otherwise. >> >> — Justin >> >> On Oct 6, 2021, at 5:08 PM, Dick Hardt <[email protected]> wrote: >> >> I am not supportive of adoption of this document at this time. >> >> I am supportive of the concepts in the document. Building upon existing, >> widely used, proven security mechanisms gives us better security. >> >> HTTP Sig looks very promising, but it has not been adopted as a draft, >> and as far as I know, it is not widely deployed. >> >> We should wait to do work on extending HTTP Sig for OAuth until it has >> stabilized and proven itself in the field. We have more than enough work to >> do in the WG now, and having yet-another PoP mechanism is more likely to >> confuse the community at this time. >> >> An argument to adopt the draft would be to ensure HTTP Sig can be used in >> OAuth. >> Given Justin and Annabelle are also part of the OAuth community, I'm sure >> they will be considering how HTTP Sig can apply to OAuth, so the overlap is >> serving us already. >> >> /Dick >> >> >> ᐧ >> >> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <[email protected]> wrote: >> >>> I support adoption of this document. >>> >>> - Aaron >>> >>> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef < >>> [email protected]> wrote: >>> >>>> All, >>>> >>>> As a followup on the interim meeting today, this is a *call for >>>> adoption *for the *OAuth Proof of Possession Tokens with HTTP Message >>>> Signature* draft as a WG document: >>>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >>>> >>>> Please, provide your feedback on the mailing list by* October 20th*. >>>> >>>> Regards, >>>> Rifaat & Hannes >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> >>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
