I meant it is not yet adopted as an RFC. To be clear, I think you are doing great work on the HTTP Sig doc, and a number of concerns I have with HTTP signing have been addressed => I just think that doing work in the OAuth WG on a moving and unproven draft in the HTTP WG is not a good use of resources in the OAuth WG at this time.
ᐧ On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <jric...@mit.edu> wrote: > > HTTP Sig looks very promising, but it has not been adopted as a draft > > Just to be clear, the HTTP Sig draft is an official adopted document of > the HTTP Working Group since about a year ago. I would not have suggested > we depend on it for a document within this WG otherwise. > > — Justin > > On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > > I am not supportive of adoption of this document at this time. > > I am supportive of the concepts in the document. Building upon existing, > widely used, proven security mechanisms gives us better security. > > HTTP Sig looks very promising, but it has not been adopted as a draft, and > as far as I know, it is not widely deployed. > > We should wait to do work on extending HTTP Sig for OAuth until it has > stabilized and proven itself in the field. We have more than enough work to > do in the WG now, and having yet-another PoP mechanism is more likely to > confuse the community at this time. > > An argument to adopt the draft would be to ensure HTTP Sig can be used in > OAuth. > Given Justin and Annabelle are also part of the OAuth community, I'm sure > they will be considering how HTTP Sig can apply to OAuth, so the overlap is > serving us already. > > /Dick > > > ᐧ > > On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aa...@parecki.com> wrote: > >> I support adoption of this document. >> >> - Aaron >> >> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef < >> rifaat.s.i...@gmail.com> wrote: >> >>> All, >>> >>> As a followup on the interim meeting today, this is a *call for >>> adoption *for the *OAuth Proof of Possession Tokens with HTTP Message >>> Signature* draft as a WG document: >>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >>> >>> Please, provide your feedback on the mailing list by* October 20th*. >>> >>> Regards, >>> Rifaat & Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
