> HTTP Sig looks very promising, but it has not been adopted as a draft Just to be clear, the HTTP Sig draft is an official adopted document of the HTTP Working Group since about a year ago. I would not have suggested we depend on it for a document within this WG otherwise.
— Justin > On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > > I am not supportive of adoption of this document at this time. > > I am supportive of the concepts in the document. Building upon existing, > widely used, proven security mechanisms gives us better security. > > HTTP Sig looks very promising, but it has not been adopted as a draft, and as > far as I know, it is not widely deployed. > > We should wait to do work on extending HTTP Sig for OAuth until it has > stabilized and proven itself in the field. We have more than enough work to > do in the WG now, and having yet-another PoP mechanism is more likely to > confuse the community at this time. > > An argument to adopt the draft would be to ensure HTTP Sig can be used in > OAuth. > Given Justin and Annabelle are also part of the OAuth community, I'm sure > they will be considering how HTTP Sig can apply to OAuth, so the overlap is > serving us already. > > /Dick > > > ᐧ > > On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aa...@parecki.com > <mailto:aa...@parecki.com>> wrote: > I support adoption of this document. > > - Aaron > > On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com > <mailto:rifaat.s.i...@gmail.com>> wrote: > All, > > As a followup on the interim meeting today, this is a call for adoption for > the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a > WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ > <https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/> > > Please, provide your feedback on the mailing list by October 20th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
