08 PM
> To: Richard Backman, Annabelle
> Cc: David Waite; oauth
> Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth
> Proof of Possession Tokens with HTTP Message Signature
>
> I have a use case for a self contained request that can be independently
> ver
: Friday, October 22, 2021 6:08 PM
To: Richard Backman, Annabelle
Cc: David Waite; oauth
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth Proof of
Possession Tokens with HTTP Message Signature
I have a use case for a self contained request that can be independently
verified
I have a use case for a self contained request that can be
independently verified by multiple parties. IE, not just have PoP at HTTP
endpoint, but by components doing processing further down the line. It also
provides non-repudiation.
For example, a JWT that is sent as an HTTP payload includes
> On Oct 14, 2021, at 8:47 AM, Warren Parad
> wrote:
>
> I feel like there are a bunch of pieces of the implementation fundamentally
> missing here, so we are back to, as it is right now, the draft isn't
> sufficient.
Of course the draft isn’t sufficient for publication — that’s what the
I feel like there are a bunch of pieces of the implementation fundamentally
missing here, so we are back to, as it is right now, the draft isn't
sufficient. What prevents the signature from being used without this RFC?
How do you do expect the symmetric key exchange to be oauth compliant? How
does
Agreed with keeping DPoP simple, which was why I was asking if the proposal
could indicate it was targeting some of these other use cases.
It's clear from the feedback that the current draft does not clearly express
these use cases. There is overlap with DPoP – on a technical level, Message
If keeping DPoP simple means we have to have come up with 10 different
variants to handle all the different cases that it doesn't support, then it
isn't keeping it simple, it is just pushing the problem forward to the
implementers to figure out which set of RFCs to implement.
I would agree with
> On Oct 13, 2021, at 12:26 PM, Richard Backman, Annabelle
> wrote:
>
> Those issues that could be addressed without completely redesigning DPoP have
> been discussed within the Working Group multiple times. (See quotes and
> meeting notes references in my previous message) The authors