inline On Fri, Oct 8, 2021 at 2:00 PM Richard Backman, Annabelle < [email protected]> wrote:
> IE, if the success of HTTP Signing is tied to the OAuth WG adopting the > draft, then Mike's arguments about the WG already doing this work is valid. > > > It's not the success of HTTP Message Signatures that concerns me here; > that draft will reach RFC regardless of what the OAuth WG does. > Maybe, maybe not. And then having adoption and proving that all the other concerns raised on the list such as canonicalization challenges are moot. > But I and others would like to use Message Signatures with OAuth 2.0, and > would like to have some confidence that there will be a standard, > interoperable way to do that. > > There are other, non-OAuth 2.0 use cases for HTTP Message Signatures. I > don't see the rationale behind waiting for implementations for completely > unrelated use cases, or by parties that aren't using OAuth 2.0 for > authorization. How are they relevant? > The proposal is to build upon a general purpose security mechanism. I would like to see that general purpose security mechanism proven before building upon it. /Dick ᐧ
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
