Thanks for the clarification, though I certainly disagree with your conclusion.
If you have additional outstanding concerns with the HTTP Sig document, Annabelle and I would welcome your feedback and engagement in HTTP to ensure those are addressed. :) Thanks, — Justin > On Oct 6, 2021, at 5:24 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > > I meant it is not yet adopted as an RFC. > > To be clear, I think you are doing great work on the HTTP Sig doc, and a > number of concerns I have with HTTP signing have been addressed => I just > think that doing work in the OAuth WG on a moving and unproven draft in the > HTTP WG is not a good use of resources in the OAuth WG at this time. > > > ᐧ > > On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <jric...@mit.edu > <mailto:jric...@mit.edu>> wrote: > > HTTP Sig looks very promising, but it has not been adopted as a draft > > Just to be clear, the HTTP Sig draft is an official adopted document of the > HTTP Working Group since about a year ago. I would not have suggested we > depend on it for a document within this WG otherwise. > > — Justin > >> On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.ha...@gmail.com >> <mailto:dick.ha...@gmail.com>> wrote: >> >> I am not supportive of adoption of this document at this time. >> >> I am supportive of the concepts in the document. Building upon existing, >> widely used, proven security mechanisms gives us better security. >> >> HTTP Sig looks very promising, but it has not been adopted as a draft, and >> as far as I know, it is not widely deployed. >> >> We should wait to do work on extending HTTP Sig for OAuth until it has >> stabilized and proven itself in the field. We have more than enough work to >> do in the WG now, and having yet-another PoP mechanism is more likely to >> confuse the community at this time. >> >> An argument to adopt the draft would be to ensure HTTP Sig can be used in >> OAuth. >> Given Justin and Annabelle are also part of the OAuth community, I'm sure >> they will be considering how HTTP Sig can apply to OAuth, so the overlap is >> serving us already. >> >> /Dick >> >> >> ᐧ >> >> On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aa...@parecki.com >> <mailto:aa...@parecki.com>> wrote: >> I support adoption of this document. >> >> - Aaron >> >> On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com >> <mailto:rifaat.s.i...@gmail.com>> wrote: >> All, >> >> As a followup on the interim meeting today, this is a call for adoption for >> the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a >> WG document: >> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ >> <https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/> >> >> Please, provide your feedback on the mailing list by October 20th. >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
