I wanted to jump back to the top of the thread to point out something that seems to be getting missed:
This is not a call for adoption of HTTP Message Signatures. That document already exists in the HTTP WG and will be published as an RFC from that group. If you want to have discussions about how the HTTP Message Signatures specification works, come to the HTTP working group for those discussions. This is a call for adoption of an OAuth application of the HTTP Message Signatures spec. Signatures will exist with or without the OAuth WG’s use of it, and I would argue that people are going to attach OAuth access tokens to requests using HTTP Message Signatures whether or not the OAuth WG picks up the work. The question is whether those applications are going to be isolated profiles and silos, like they are today, or whether there can be one way to use them together across different systems. My recommendation is that the OAuth WG define how exactly HTTP Message Signatures should be used with OAuth, which is what this proposal is for. — Justin > On Oct 6, 2021, at 5:01 PM, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > All, > > As a followup on the interim meeting today, this is a call for adoption for > the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a > WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ > <https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/> > > Please, provide your feedback on the mailing list by October 20th. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
