<div dir="auto">Hi Anders, <div dir="auto"><br></div><div dir="auto">I'm actually thinking of a way to sign also the request line and selected HTTP Headers using JWS detached signature.</div><div dir="auto"><br></div><div dir="auto">Basically it would just work by adding this information in the secured JOSE header.</div><div dir="auto"><br></div><div dir="auto">Wdyt?</div><div dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto"><br></div><div dir="auto">Philippe</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 9 mai 2019 à 07:40, Anders Rundgren via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-fapi@lists.openid.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Chair & List,<br>
<br>
To me it looks close to ridiculous publicly downplaying <a href="https://datatracker.ietf.org/doc/draft-cavage-http-signatures/" rel="noreferrer noreferrer noreferrer" target="_blank">https://datatracker.ietf.org/doc/draft-cavage-http-signatures/</a> without providing an alternative.<br>
<br>
If nobody within the OpenID community is even interested in this matter, why the concern?<br>
<br>
Please provide a plan on how to resolve this issue, or simply accept that <a href="https://datatracker.ietf.org/doc/draft-cavage-http-signatures/" rel="noreferrer noreferrer noreferrer" target="_blank">https://datatracker.ietf.org/doc/draft-cavage-http-signatures/</a> is the de-facto standard for (at least) Open Banking. The industry in general (as proven by this case) does not seems to have any major issues with de-facto standards.<br>
<br>
If OpenID/FAPI intend to wait another year addressing this issue, the de-facto status will be cemented. Personally I see no problems if that would be the case. The authors also seem open to input.<br>
<br>
sincerely,<br>
Anders<br>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div>