Hi Justin,

Thanks for sharing this. A couple of initial thoughts:

Why HTTPSig vs Bearer? What happens if a httpsig token gets sent in a bearer 
auth header? I thought we’d basically settled on using Bearer + cnf for 
everything. 

There probably needs to be a privacy considerations section about the impact of 
client requests being signed/non-repudiable, especially when the content is 
being signed. Perhaps clients should be encouraged to regularly rotate and 
publish their old private keys as suggested here (for DKIM), unless 
non-repudiation is specifically needed:

https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

— Neil

> On 2 Jul 2026, at 15:54, Justin Richer <[email protected]> wrote:
> 
>  Starting a new thread on this one:
> 
> As you may have seen, I’ve updated the draft for applying HTTP Message 
> Signatures to OAuth Access Tokens, and Aaron has joined as co-author. A pull 
> for this work has come from a few different places lately and we’d like to 
> see this move forward in the WG. 
> 
> https://www.ietf.org/archive/id/draft-richer-oauth-httpsig-02.html
> 
> Please read the draft, it’s not that long and I’ve left a bunch of editor’s 
> notes in places that I think we’d want to address more directly or would need 
> WG debate to come to a satisfying answer.
> 
> — Justin
> _______________________________________________
> OAuth mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to