<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-compose;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">If people want to do HTTP signing, the other alternatives are
<a href="https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03">https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03</a> (which is used in production, despite being expired), the
<a href="https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html">AWS request signing specification</a> (which was described in
<a href="https://datatracker.ietf.org/meeting/105/materials/slides-105-oauth-sessa-http-request-signing-in-amazon-web-services-00">
this presentation</a> at IETF 105, and is extensively used), and the <a href="https://tools.ietf.org/html/draft-fett-oauth-dpop-02">
OAuth DPoP spec</a>, which appears to be on track for adoption by the OAuth working group during IETF 106 in November.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">For those of you who aren’t aware of the warning in the <a href="https://tools.ietf.org/html/draft-cavage-http-signatures-11">
Cavage signatures draft</a>, it says:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> WARNING: DO NOT IMPLEMENT THIS SPECIFICATION AND PUSH THE CODE INTO<o:p></o:p></p>
<p class="MsoPlainText"> PRODUCTION. THIS VERSION OF THE SPECIFICATION IS ONLY FOR<o:p></o:p></p>
<p class="MsoPlainText"> EXPERIMENTAL IMPLEMENTATIONS.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It’s my understanding that Mark Cavage has abandoned the specification and believes it should not become a standard. (At least, that’s how Phil Hunt, also of Oracle, described its status to me.) So it’s surprising to me that there’s
even discussion about resurrecting it, given the other good choices already available.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I’ll be glad to be on the special FAPI call on this topic.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> -- Mike<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> On Behalf Of Manu Sporny via Openid-specs-fapi<br>
Sent: Monday, October 7, 2019 6:55 AM<br>
To: openid-specs-fapi@lists.openid.net<br>
Cc: Manu Sporny <msporny@digitalbazaar.com><br>
Subject: Re: [Openid-specs-fapi] Next step(s) for FAPI?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> Given that Cavage 11 includes the following.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi, my name is Manu Sporny, I'm the primary specification editor for HTTP Signatures (draft-cavage-http-signatures).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> The Berlin group and others have had to explicitly reference version<o:p></o:p></p>
<p class="MsoPlainText">> 10 to avoid using a a spec that says “don’t use this”. This doesn’t
<o:p></o:p></p>
<p class="MsoPlainText">> leave them a way forward with this draft.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">There is a version 12 that will be published shortly that won't have that text. We placed the text in there to gather feedback from the community before committing to the specification text as the way forward. As you can imagine, there
are currently 25 implementations of the specification and we need to be careful about changes to the specification. We were unsure of some of the backwards-compatible changes we made to this version (we're pretty sure we didn't break anything, but wanted to
make doubly sure with implementers before we marked the specification as safe to implement in a non-experimental fashion).<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">We have published an HTTP Signatures Test Suite to ensure that implementations are actually following the specification:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c-dvcg%2Fhttp-signatures-test-suite&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=ne6DJsjq9Awjf%2BwRr6iIdFwsNZ9HwdzHEMow4jnv1H0%3D&reserved=0">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c-dvcg%2Fhttp-signatures-test-suite&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=ne6DJsjq9Awjf%2BwRr6iIdFwsNZ9HwdzHEMow4jnv1H0%3D&reserved=0</a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It sounds like there is a time sensitivity here... what is it? If there is a time sensitivity, we can accelerate the removal of that text.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> I expect that ETSI will look at the desirable properties of the
<o:p></o:p></p>
<p class="MsoPlainText">> Cavages draft and try and come up with something that has the same
<o:p></o:p></p>
<p class="MsoPlainText">> characteristics.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">This sounds like "we are going to fork the specification"... if you are intending to do that, please don't. There has been tremendous effort placed into getting the spec to where it is, gathering implementations, putting a test suite
together, etc. Things that you may feel are unnecessary may result in severe vulnerabilities if removed.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">This is the first I'm hearing about this groups desire to use some variation of the specification. How can we, the people building the HTTP Signatures spec, help?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-- manu<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">--<o:p></o:p></p>
<p class="MsoPlainText">Manu Sporny (skype: msporny, twitter: manusporny) Founder/CEO - Digital Bazaar, Inc.<o:p></o:p></p>
<p class="MsoPlainText">blog: Veres One Decentralized Identifier Blockchain Launches<o:p></o:p></p>
<p class="MsoPlainText"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftinyurl.com%2Fveres-one-launches&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=OHr9rXEGMDiLkBYu6IAE9st6ttivdFwdFF2vEJDPlFk%3D&reserved=0"><span style="color:windowtext;text-decoration:none">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftinyurl.com%2Fveres-one-launches&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313477316&sdata=OHr9rXEGMDiLkBYu6IAE9st6ttivdFwdFF2vEJDPlFk%3D&reserved=0</span></a><o:p></o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Openid-specs-fapi mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:Openid-specs-fapi@lists.openid.net"><span style="color:windowtext;text-decoration:none">Openid-specs-fapi@lists.openid.net</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-fapi&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313487315&sdata=qHHq2gCckF3Ae8m5Iu3fW%2FohxpFI3ao%2BJMr%2Fbhuqlz4%3D&reserved=0"><span style="color:windowtext;text-decoration:none">https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-fapi&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cba00c025577249670bbd08d74b3233d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637060551313487315&sdata=qHHq2gCckF3Ae8m5Iu3fW%2FohxpFI3ao%2BJMr%2Fbhuqlz4%3D&reserved=0</span></a><o:p></o:p></p>
</div>
</body>
</html>