If a client wants to re-bind a RT to a different key, its only option right now is to redo the authorization flow and get a fresh RT. This typically means the user needs to be back in the loop to progress through such a flow. This might be fine for one-off cases, but large-scale migrations (e.g. upgrading keys to PQC) would be extremely disruptive.
I know in some deployments this weakens the security properties of DPoP, as on-device malware could potentially trick the TPM into signing a request to rotate to an attacker's key, so I was thinking any spec would involve the AS indicating it supports rotation but allowing the client to configure its support preference in client metadata. I didn't see anything about this in the DPoP spec or active threads/drafts (apologies if I just missed it), so I figured I'd start something. Nick -- Nick Watson | Software Engineer | [email protected] | (781) 608-3352
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
