Google wanted to re-state our long standing opinions on HTTP signature mechanisms in the OAuth2 spec. The short version is that standards for signing parts of an HTTP request have value in use-cases other than OAuth2, and thus they should be defined outside the spec, and just referenced from the spec similar to how we reference other Internet security building blocks like SSL. Those signature standards are likely to in turn reference optional mechanisms for key rotation and discovery, as well as reference different crypto schemes like HMAC or RSA.
There are already people in the identity community working on specs that are related to OAuth2, but which have value in other use-cases. For example, there are people working on defining standards around token formats, signing blobs of different types (such as a token and/or HTTP request), key discovery/rotation, and consumer-key namespaces across vendors. Dirk Balfanz from Google recently sent out updated drafts of some of those specs, and they also leverage specs that John Panzer from Google has worked on for Magic Signatures, as well as input from people in the community who are not at Google. However even though Google is working on those specs, we still believe it is a mistake to delay the OAuth2 core spec standard to wait on broad agreement for a "signature proposal," just as it would be a mistake to delay the OAuth2 core spec to wait on the standards efforts around token formats, token signing, key discovery/rotation, consumer-key naming, etc.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
