[Openid-specs-fapi] OpenID/FAPI alternative to draft-cavage-http-signatures

Philippe Leothaud philippe.leothaud at 42crunch.com
Thu May 9 08:34:10 UTC 2019

Hi Anders,

I'm actually thinking of a way to sign also the request line and selected
HTTP Headers using JWS detached signature.

Basically it would just work by adding this information in the secured JOSE




Le jeu. 9 mai 2019 à 07:40, Anders Rundgren via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> a écrit :

> Dear Chair & List,
> To me it looks close to ridiculous publicly downplaying
> https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ without
> providing an alternative.
> If nobody within the OpenID community is even interested in this matter,
> why the concern?
> Please provide a plan on how to resolve this issue, or simply accept that
> https://datatracker.ietf.org/doc/draft-cavage-http-signatures/ is the
> de-facto standard for (at least) Open Banking.  The industry in general (as
> proven by this case) does not seems to have any major issues with de-facto
> standards.
> If OpenID/FAPI intend to wait another year addressing this issue, the
> de-facto status will be cemented.  Personally I see no problems if that
> would be the case.  The authors also seem open to input.
> sincerely,
> Anders
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190509/deeb63bf/attachment.html>

More information about the Openid-specs-fapi mailing list