Hi Denis, The choice to use "iat" vs. "exp" was made in the summer of last year. You can see some of the discussion from then in https://github.com/danielfett/draft-dpop/issues/38. I believe it pretty well has consensus at this point and thus unlikely to be changed.
While I do believe there are reasonable arguments that can be made on both sides of using either of "iat" or "exp", it's difficult (and honestly time consuming and very frustrating) to try and have such discussions or even respond in a coherent way when fundamental aspects of the draft are misrepresented or misunderstood. For example, the DPoP proof JWT is created by the client not the AS so the advantages you put forward are nonsensical in the context of the actual workings of the draft. On Mon, Nov 30, 2020 at 8:45 AM Denis <denis.i...@free.fr> wrote: > One comment on slide 5 about the *time window*. > > At the bottom, on the left, it is written: "Only valid for a limited *time > window* relative to creation time". > > While the creation time is defined by "iat", the *time window* is > currently left at the discretion of each RS. > > It would be preferable to mandate the inclusion in the JWT of the exp > (Expiration Time) Claim. > In this way, the *time window *would be defined by the AS using both the > "iat" and the "exp" claims. > > This would have the following advantages: > > - The client will know whether a token is still usable and is unlikely > to get a rejection of the token > because of an unknown time window defined by a RS. > > > - The RS is able to manage better the "jti" claim values, because it > will be able to discard "jti" claim values > as soon as they are outside the time window defined by the AS in a JWT. > > Denis > > All, > > This is a reminder that we have an Interim meeting this Monday, Nov 30th @ > 12:00pm ET, to discuss the latest with the *DPoP *document: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > You can find the details of the meeting and the slides here: > https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth > > Regards, > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
