I do not support adoption of this draft. OAuth 1 failed because of the
complexity of HTTP Signing and the resulting difficulty of achieving interop.
draft-ietf-oauth-signed-http-request was abandoned by the working group
recognizing that it was resurrecting equivalent complexity to OAuth 1. The
proposed new draft is a third crack at the same thing that’s not sufficiently
differentiated from the previous failed efforts in my mind to warrant us
spending time on it.
Also, note we do have draft-ietf-oauth-dpop, which solves the actual
proof-of-possession problem for OAuth in a narrowly targeted, focused manner.
That draft is active and in good shape. We don’t need a more general, more
complicated draft solving the same problem.
-- Mike
From: OAuth <[email protected]> On Behalf Of Rifaat Shekh-Yusef
Sent: Wednesday, October 6, 2021 2:02 PM
To: oauth <[email protected]>
Subject: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with
HTTP Message Signature
All,
As a followup on the interim meeting today, this is a call for adoption for the
OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG
document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
Please, provide your feedback on the mailing list by October 20th.
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
