[Openid-specs-fapi] Alive and kicking: draft-cavage-http-signatures

Anders Rundgren anders.rundgren.net at gmail.com
Wed Mar 13 17:13:30 UTC 2019

On 2019-03-13 17:25, Joseph Heenan via Openid-specs-fapi wrote:
> I presume the interoperability issues are solvable one way or another?
> The early reports about OBUK’s signing algorithm seem to be cautiously pessimistic. I’m not sure if OB gave any reasons for not using the IETF cavage draft.
> I know we’ve discussed it before, but it does seem like the FAPI working group should try and favour one standard, which would also allow us to build interoperability/certification tests for that standard. I think the oauth working group feels similarly. Justin Richer pulled together some of the thoughts at IETF 101 ( https://datatracker.ietf.org/meeting/101/materials/slides-101-oauth-sessa-http-signing-00 ) but I’m not sure if the conversation moved on from there.

Hi Joseph,
thank you for providing this information; it was news to me at least!

If https://tools.ietf.org/html/draft-yasskin-http-origin-signed-responses-05 would become "the" HTTP signature standard, we would be in big trouble. I can't even "decipher" it :-(

BTW, where does the FAPI signature solution stand standards-wise?
It is not obvious that the FAPI signature solution actually is RESTful; maybe I'm missing something here?


> Perhaps it’s one to put on the agenda for the oauth security workshop face-to-face?
> Joseph

More information about the Openid-specs-fapi mailing list