Remember token binding? It was a stable draft. The OAuth WG spent a bunch of cycles building on top of token binding, but token binding did not get deployed, so no token binding for OAuth.
As I mentioned, I think Justin and Annabelle (and anyone else interested) can influence HTTP Sig to cover OAuth use cases. /Dick ᐧ On Wed, Oct 6, 2021 at 2:48 PM Aaron Parecki <[email protected]> wrote: > This actually seems like a great time for the OAuth group to start working > on this more closely given the relative stability of this draft as well as > the fact that it is not yet an RFC. This is a perfect time to be able to > influence the draft if needed, rather than wait for it to be finalized and > then have to find a less-than-ideal workaround for something unforeseen. > > Aaron > > On Wed, Oct 6, 2021 at 2:25 PM Dick Hardt <[email protected]> wrote: > >> I meant it is not yet adopted as an RFC. >> >> To be clear, I think you are doing great work on the HTTP Sig doc, and a >> number of concerns I have with HTTP signing have been addressed => I just >> think that doing work in the OAuth WG on a moving and unproven draft in the >> HTTP WG is not a good use of resources in the OAuth WG at this time. >> >> >> ᐧ >> >> On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <[email protected]> wrote: >> >>> > HTTP Sig looks very promising, but it has not been adopted as a draft >>> >>> Just to be clear, the HTTP Sig draft is an official adopted document of >>> the HTTP Working Group since about a year ago. I would not have suggested >>> we depend on it for a document within this WG otherwise. >>> >>> — Justin >>> >>> On Oct 6, 2021, at 5:08 PM, Dick Hardt <[email protected]> wrote: >>> >>> I am not supportive of adoption of this document at this time. >>> >>> I am supportive of the concepts in the document. Building upon existing, >>> widely used, proven security mechanisms gives us better security. >>> >>> HTTP Sig looks very promising, but it has not been adopted as a draft, >>> and as far as I know, it is not widely deployed. >>> >>> We should wait to do work on extending HTTP Sig for OAuth until it has >>> stabilized and proven itself in the field. We have more than enough work to >>> do in the WG now, and having yet-another PoP mechanism is more likely to >>> confuse the community at this time. >>> >>> An argument to adopt the draft would be to ensure HTTP Sig can be used >>> in OAuth. >>> Given Justin and Annabelle are also part of the OAuth community, I'm >>> sure they will be considering how HTTP Sig can apply to OAuth, so the >>> overlap is serving us already. >>> >>> /Dick >>> >>> >>> ᐧ >>> >>> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <[email protected]> wrote: >>> >>>> I support adoption of this document. >>>> >>>> - Aaron >>>> >>>> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef < >>>> [email protected]> wrote: >>>> >>>>> All, >>>>> >>>>> As a followup on the interim meeting today, this is a *call for >>>>> adoption *for the *OAuth Proof of Possession Tokens with HTTP Message >>>>> Signature* draft as a WG document: >>>>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >>>>> >>>>> Please, provide your feedback on the mailing list by* October 20th*. >>>>> >>>>> Regards, >>>>> Rifaat & Hannes >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> [email protected] >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
