[Openid-specs-fapi] Next step(s) for FAPI?

Manu Sporny msporny at digitalbazaar.com
Mon Oct 7 13:54:32 UTC 2019


> Given that Cavage 11 includes the following.

Hi, my name is Manu Sporny, I'm the primary specification editor for
HTTP Signatures (draft-cavage-http-signatures).

> The Berlin group and others have had to explicitly reference version
>  10 to avoid using a a spec that says “don’t use this”. This doesn’t
>  leave them a way forward with this draft.

There is a version 12 that will be published shortly that won't have
that text. We placed the text in there to gather feedback from the
community before committing to the specification text as the way
forward. As you can imagine, there are currently 25 implementations of
the specification and we need to be careful about changes to the
specification. We were unsure of some of the backwards-compatible
changes we made to this version (we're pretty sure we didn't break
anything, but wanted to make doubly sure with implementers before we
marked the specification as safe to implement in a non-experimental
fashion).

We have published an HTTP Signatures Test Suite to ensure that
implementations are actually following the specification:

https://github.com/w3c-dvcg/http-signatures-test-suite

It sounds like there is a time sensitivity here... what is it? If there
is a time sensitivity, we can accelerate the removal of that text.

> I expect that ETSI will look at the desirable properties of the 
> Cavages draft and try and come up with something that has the same 
> characteristics.

This sounds like "we are going to fork the specification"... if you are
intending to do that, please don't. There has been tremendous effort
placed into getting the spec to where it is, gathering implementations,
putting a test suite together, etc. Things that you may feel are
unnecessary may result in severe vulnerabilities if removed.

This is the first I'm hearing about this groups desire to use some
variation of the specification. How can we, the people building the HTTP
Signatures spec, help?

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches


More information about the Openid-specs-fapi mailing list