Greetings! I believe I volunteered to review the PIKA draft at IETF 120. The version reviewed: https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ is the -01
The problem statement is clear and I appreciate the authors leaving a few questions open in order to gain consensus views on those particular points. The design choice in section 1 seems appropriate to maintain the same trust model as HTTPS, it would be confusing to developers to have a different model used together. I see mention of OPenID connect in the MLS proposal, but PKI seems to just be a JWT independent of OpenID connect framework and of any ties to OAuth. Is that correct? I also see you follow similar requirements to OpenID Federation. I do think it makes sense to keep this independent of OAuth, especially given the container signing aspect with the ability to look up prior signatures from particular points in time on particular package instances. In the options in section 5.2, I prefer the use of PIKA signing certificates & keys instead of using HTTPS certificates. General: I see the need for this work and like the design in that it is simple to get the specific functions performed. I am in support of this draft moving forward in a WG. Are other WGs being considered in addition to OAuth? Thank you! -- Best regards, Kathleen
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
