> On 2 Jul 2026, at 16:55, Justin Richer <[email protected]> wrote:
> 
>  I do not recall any agreement that “bearer + cnf” is the acceptable or 
> preferred pattern. DPoP uses the “dpop" scheme today, which is the closest 
> precedent. To this day I believe the MTLS spec’s re-use of “bearer” auth 
> scheme is a mistake. In any case, this is not a bearer token and should not 
> be accepted in any place that a bearer token would be accepted — that kind of 
> downgrade would be a huge flaw in the system.

Well my view is that the “Bearer” auth scheme was misnamed. Nothing about it is 
inherently coupled to bearer tokens. Using distinct auth schemes for different 
token types has little benefit and has the huge drawback that the auth scheme 
is attacker-controlled vs cnf which comes from validated token metadata. Thus 
making exactly those kinds of downgrade attacks more likely not less. 

But we’ve had this conversation before:

https://mailarchive.ietf.org/arch/msg/oauth/sDPJVpm3h3ETNZrcomjMM36KAeQ/


> On key rotation, I think that’s going to be use case specific in a lot of 
> ways, but it would be great to have additional privacy and security 
> considerations — in the doc you can see that they’re basically stubs right 
> now (along with IANA).

Signing email messages by default has had widespread unintended consequences, 
even politically. HttpSig has the benefit of not signing the content by 
default, so I think this can be addressed. But it’s something that should be 
high on the list of privacy considerations. (Maybe in fact the draft could 
standardise a method for a user to consent to signed requests? OAuth would seem 
well placed to handle that). 

— Neil
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to