Hi Justin, Thanks for sharing this. A couple of initial thoughts:
Why HTTPSig vs Bearer? What happens if a httpsig token gets sent in a bearer auth header? I thought we’d basically settled on using Bearer + cnf for everything. There probably needs to be a privacy considerations section about the impact of client requests being signed/non-repudiable, especially when the content is being signed. Perhaps clients should be encouraged to regularly rotate and publish their old private keys as suggested here (for DKIM), unless non-repudiation is specifically needed: https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/ — Neil > On 2 Jul 2026, at 15:54, Justin Richer <[email protected]> wrote: > > Starting a new thread on this one: > > As you may have seen, I’ve updated the draft for applying HTTP Message > Signatures to OAuth Access Tokens, and Aaron has joined as co-author. A pull > for this work has come from a few different places lately and we’d like to > see this move forward in the WG. > > https://www.ietf.org/archive/id/draft-richer-oauth-httpsig-02.html > > Please read the draft, it’s not that long and I’ve left a bunch of editor’s > notes in places that I think we’d want to address more directly or would need > WG debate to come to a satisfying answer. > > — Justin > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
