Hi,I'm going to expose my ignorance here... but what is the rationale for requiring the public key in every DPoP proof? Is there a security reason? or is it for ease of development? If large RSA keys are being used, that public key is rather large for sending with every request when even a fingerprint of the key would suffice to identify it.
From my reading of the spec, there isn't a way for a server that wants to remember the public key in backend session state to optimize the proof.
Thanks, George
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
