[OAUTH-WG] OAuth2.1 credentialed client

I'm not sure if these items have been brought up previously or are already on the agenda to be discussed at the interim meeting. Referring to the latest draft ( https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html) ... 1. The definition given under section 2.1 Client Types is: > Clients

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I do not support adopting this work as proposed, with the caveat that I am a co-editor of the DPoP work. We unfortunately do not have a single approach for PoP which works for all scenarios and deployments, why we have had several proposals and standards such as Token Binding, mutual TLS, and D

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

We can definitely start without that general purpose security mechanism being proven, by using other proven mechanisms to solve the same problem. There's no reason we need to depend on nor utilize HTTPSig for solving the problems hoped to be achieved with this draft. But we do need to stipulate con

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

inline On Fri, Oct 8, 2021 at 2:00 PM Richard Backman, Annabelle < richa...@amazon.com> wrote: > IE, if the success of HTTP Signing is tied to the OAuth WG adopting the > draft, then Mike's arguments about the WG already doing this work is valid. > > > It's not the success of HTTP Message Signatu

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

IE, if the success of HTTP Signing is tied to the OAuth WG adopting the draft, then Mike's arguments about the WG already doing this work is valid. It's not the success of HTTP Message Signatures that concerns me here; that draft will reach RFC regardless of what the OAuth WG does. But I and oth

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I think there are a bunch of different conversations happening here at the same time. Individual responses arguing for/against others in the WG isn't going to be productive over email. If the goal is to convince everyone that there are merits despite the objections, then tracking those objections a

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

We need to come up with a better argument such as: This allows a client to reduce use of the token to a smaller window to where the signature is also valid. We have one: prevent unauthorized parties from using access tokens. Since a client's signing key never needs to leave the client's system,

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I understand the layering that you’re describing, Justin. That said, all the complexity of OAuth 1 and draft-ietf-oauth-signed-http-request are still there *and more*. The complexity is just moved to a different draft in the HTTP working group that the proposed OAuth draft in question has take

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

On Fri, Oct 8, 2021 at 12:39 PM Richard Backman, Annabelle < richa...@amazon.com> wrote: > > Blocking WG development of an OAuth 2.0 profile of Message Signatures > behind widespread deployment of Message Signatures risks creating a > deadlock where the WG is waiting for implementations from would

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

> > HTTP Message Signing exists, people are implementing it and using it. Token Binding existed as well. HTTP Message Signing is not yet an RFC, and in my opinion it only makes sense for OAuth to build on top of it if it is successful with lots of interoperable deployments. ᐧ On Fri, Oct 8, 202

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

"This draft is actually significantly simpler than DPoP precisely because it is not defining an HTTP signing mechanism. " that is my understanding as well, but I was afraid to start a flame war :D On Fri, Oct 8, 2021 at 4:23 PM Justin Richer wrote: > Hi Mike, > > One of the major benefits of thi

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I agree that Token Binding is not an experience we want to repeat, and I understand having a "once bitten, twice shy" reaction to this. However, the circumstances that led to Token Binding's failure do not apply to Message Signatures. Token Binding required changes in the user agent, meaning tha

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Hi Mike, One of the major benefits of this proposed draft is that it does not try to solve the problem of HTTP message signing — which is a huge problem unto itself. When I wrote the original draft-ietf-oauth-signed-http-request, I wasn’t able to write it to depend on a general-purpose HTTP sig

Re: [OAUTH-WG] Shepherd writeup for draft-ietf-oauth-iss-auth-resp

Thank you RIfaat. Looks good to me, too. Best regards, Karsten On 08.10.2021 15:49, Daniel Fett wrote: Hi Rifaat, looks good to me! -Daniel Am 08.10.21 um 15:13 schrieb Rifaat Shekh-Yusef: All, The following is the first version of the shepherd writeup for the draft-ietf-oauth-iss-auth-r

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I do not support adoption of this draft. OAuth 1 failed because of the complexity of HTTP Signing and the resulting difficulty of achieving interop. draft-ietf-oauth-signed-http-request was abandoned by the working group recognizing that it was resurrecting equivalent complexity to OAuth 1. T

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

I support adoption of this draft as a working group document. I have seen a few objections due in part to the draft not addressing this or that topic. Bear in mind that this is a call for adoption of a draft; this is not WGLC. It is generally expected that a draft may be far from complete before

Re: [OAUTH-WG] Shepherd writeup for draft-ietf-oauth-iss-auth-resp

Hi Rifaat, looks good to me! -Daniel Am 08.10.21 um 15:13 schrieb Rifaat Shekh-Yusef: > All, > > The following is the first version of the shepherd writeup for > the draft-ietf-oauth-iss-auth-resp document. > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/shepherdwriteup/ >

[OAUTH-WG] Shepherd writeup for draft-ietf-oauth-iss-auth-resp

All, The following is the first version of the shepherd writeup for the draft-ietf-oauth-iss-auth-resp document. https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/shepherdwriteup/ Please, take a look and let me know if I missed anything. I plan to ship it to the IESG next week. Reg