Hi Emelia, Thank you for pointing this out. I agree that the relationship between these two drafts should be described more clearly. While both drafts make use of attestation, they address different problem statements and, consequently, pursue different objectives.
Draft-ietf-oauth-attestation-based-client-auth-09 focuses primarily on client authentication and audience blinding. It defines how a client instance presents a key-bound attestation alongside proof of possession to the Authorization Server, serving either as a primary authentication mechanism or as an additional security signal. On the other hand, draft-ekahraman-oauth-attestation-authz-native-app document addresses a distinct layer: how verifier-issued Attestation Results are evaluated by the Authorization Server and how those evaluations subsequently influence the scopes issued to Native Applications. I will revise the "Related Works" section in the next iteration of the draft to include these details and better articulate this distinction. Best regards, Efe _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
