> obviously we can't use any sensitive keys with these That's not true at all, public clients can use keys that they create themselves or are issued to a particular instance. That's one of the reasons we are giving a name to this type of client in OAuth 2.1, a "credentialed" client.
A public client clearly can't share credentials with other instances of the public client, but there's no reason they can't use a key that is only ever known to them. On Thu, Oct 7, 2021 at 9:06 PM Ash Narayanan <[email protected]> wrote: > Oh geez, yesterday was my day off but ended up down a deep rabbit hole > after reading this draft and the ones that came before it. > > I do not support adoption and was going to list my reasons but Warren > Parad beat me to it. > > In addition to the list he has provided, I'd also like to see the draft > make a mention of public clients; obviously we can't use any sensitive keys > with these. > > > Regards, > Ash > > On Thu, Oct 7, 2021 at 11:02 PM Neil Madden <[email protected]> > wrote: > >> Canonicalised signature schemes inevitably lead to cryptographic doom, >> and should die with SAML (ha!). For that reason I do not support adoption >> of this draft. >> >> I also think the arguments for canonicalisation vanish as soon as you >> want end-to-end confidentiality too. >> >> — Neil >> >> On 6 Oct 2021, at 22:02, Rifaat Shekh-Yusef <[email protected]> >> wrote: >> >> >> All, >> >> As a followup on the interim meeting today, this is a *call for adoption >> *for the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft >> as a WG document: >> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >> >> Please, provide your feedback on the mailing list by* October 20th*. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe >> <https://preferences.forgerock.com/> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- --- Aaron Parecki https://aaronparecki.com
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
