Oh geez, yesterday was my day off but ended up down a deep rabbit hole after reading this draft and the ones that came before it.
I do not support adoption and was going to list my reasons but Warren Parad beat me to it. In addition to the list he has provided, I'd also like to see the draft make a mention of public clients; obviously we can't use any sensitive keys with these. Regards, Ash On Thu, Oct 7, 2021 at 11:02 PM Neil Madden <neil.mad...@forgerock.com> wrote: > Canonicalised signature schemes inevitably lead to cryptographic doom, and > should die with SAML (ha!). For that reason I do not support adoption of > this draft. > > I also think the arguments for canonicalisation vanish as soon as you want > end-to-end confidentiality too. > > — Neil > > On 6 Oct 2021, at 22:02, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > > All, > > As a followup on the interim meeting today, this is a *call for adoption *for > the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft > as a WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ > > Please, provide your feedback on the mailing list by* October 20th*. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe > <https://preferences.forgerock.com/> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
