On Fri, Nov 22, 2019 at 3:08 PM Neil Madden <[email protected]> wrote:
> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle <[email protected]> > wrote: > > There are key distribution challenges with that if you are doing > validation at the RS, but validation at the RS using either approach means > you’ve lost protection against replay by the RS. This brings us back to a > core question: what threats are in scope for DPoP, and in what contexts? > > > Agreed, but validation at the RS is premature optimisation in many cases. > And if you do need protection against that the client can even append a > confirmation key as a caveat and retrospectively upgrade a bearer token to > a pop token. They can even do transfer of ownership by creating copies of > the original token bound to other certificates/public keys. > While validation at the RS may be an optimization in many cases, it is still a requirement for deployments. I echo Annabelle's last question: what threats are in scope (and out of scope) for DPoP?
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
