Hi Rifaat,
apologies for the delay.
We published a new draft addressing your comments.
We changed Section 2.4, paragraph 3 to:
If clients interact with both authorization servers supporting this
specification and authorization servers not supporting this
specification, clients MUST
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Authorization Server Issuer Identification
Authors : Karsten Meyer zu Selhausen
Remember token binding? It was a stable draft. The OAuth WG spent a bunch
of cycles building on top of token binding, but token binding did not get
deployed, so no token binding for OAuth.
As I mentioned, I think Justin and Annabelle (and anyone else interested)
can influence HTTP Sig to cover
This actually seems like a great time for the OAuth group to start working
on this more closely given the relative stability of this draft as well as
the fact that it is not yet an RFC. This is a perfect time to be able to
influence the draft if needed, rather than wait for it to be finalized and
Thanks for the clarification, though I certainly disagree with your conclusion.
If you have additional outstanding concerns with the HTTP Sig document,
Annabelle and I would welcome your feedback and engagement in HTTP to ensure
those are addressed. :)
Thanks,
— Justin
> On Oct 6, 2021, at
I meant it is not yet adopted as an RFC.
To be clear, I think you are doing great work on the HTTP Sig doc, and a
number of concerns I have with HTTP signing have been addressed => I just
think that doing work in the OAuth WG on a moving and unproven draft in the
HTTP WG is not a good use of
> HTTP Sig looks very promising, but it has not been adopted as a draft
Just to be clear, the HTTP Sig draft is an official adopted document of the
HTTP Working Group since about a year ago. I would not have suggested we depend
on it for a document within this WG otherwise.
— Justin
> On Oct
I oauth to live and promise to keep all terms in loyalty and love ❤️
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I am not supportive of adoption of this document at this time.
I am supportive of the concepts in the document. Building upon existing,
widely used, proven security mechanisms gives us better security.
HTTP Sig looks very promising, but it has not been adopted as a draft, and
as far as I know,
I support adoption of this document.
- Aaron
On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef
wrote:
> All,
>
> As a followup on the interim meeting today, this is a *call for adoption *for
> the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft
> as a WG document:
>
All,
As a followup on the interim meeting today, this is a *call for adoption *for
the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft as
a WG document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
Please, provide your feedback on the mailing list by* October
All,
Thanks to *Dick Hardt*, here are the minutes for today's interim meeting.
https://datatracker.ietf.org/meeting/interim-2021-oauth-11/materials/minutes-interim-2021-oauth-11-202110061200-01
https://notes.ietf.org/s/notes-ietf-interim-2021-oauth-11-oauth
Let us know if you have any comments
Overall I think thus is good, but I have a few comments/suggestions:
I think the stateful handling of server-supplied nonces (ie the client reuses
the same nonce until the server sends a new one) perhaps needs to be clarified
with respect to clients making concurrent requests. Especially
FYI, I wrote about the nonce support at https://self-issued.info/?p=2194 and
https://twitter.com/selfissued/status/1445789505902899206.
-- Mike
From: OAuth On Behalf Of Brian Campbell
Sent: Monday, October 4, 2021 3:11 PM
To: oauth
All,
The following link has links to the HTTP Signature draft and the slides for
today's meeting.
https://notes.ietf.org/notes-ietf-interim-2021-oauth-11-oauth
We will also use the above link to capture the minutes and the attendees.
When joining the meeting, please make sure to add your name to
15 matches
Mail list logo
