On 11 Jun 2021, at 21:20, Brian Campbell <[email protected]> wrote: > > Hi Dmitry, > > This ML is indeed the appropriate place for this kind of thing. You raise a > legitimate question, however, the general rough consensus thinking has been > that allowing for DPoP key rotation for refresh tokens and public clients > (the only case where it's relevant) didn't add enough value to justify the > added complexity. It doesn't help with the threat model for in-browser > applications. And mobile applications have really good options for key > storage - to the point that the kind of event that might compromise a DPoP > key would involve a lot more than key rotation to cleanup from. >
I think this is probably true for most current signature schemes [*], but does this assumption hold for post-quantum signature algorithms? e.g., I think for some hash-based signature schemes like SPHINCS there is a trade-off between number of signatures and signature size - so a key that can never be rotated may have to have larger signatures to compensate to avoid exceeding usage limits. I don’t know enough about the state of the art of post-quantum signatures to say if this is a real issue or if those schemes would be appropriate for DPoP in the first place, but perhaps we should get an opinion from CFRG before baking in this assumption? [*] There are things like repeating or biased nonces in ECDSA that can leak the private key without the storage being compromised, but I think such bugs would also require more than key rotation to recover from. — Neil -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
