Thanks, this is really useful context! There are other places in OAuth where I
think more DH could be useful (e.g. removing a network hop from PKCE by
replacing the code challenge with an ephemeral public key, and having the
authorization server derive a key and then directly return an access
Hi Zack,
For whatever it's worth, HMAC PoP has been discussed in the past (in a few
different incarnations). Neil Madden put forth the idea of a somewhat
similar sounding Diffie-Hellman style approach
https://mailarchive.ietf.org/arch/msg/oauth/1Zltt75p5taPw0DRmhoKLbavu9s/,
which I sort of
Hi OAuth list,
Hopefully this is the right place for this message. I wanted to surface an idea
for an alternative DPoP approach to the current one based on digital
signatures. I'm looking for feedback to determine whether it's worth
investigating further or writing up a proper RFC. Is there
