Good observation, Ludwig. We should do that.
-- Mike
-----Original Message-----
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Ludwig Seitz
Sent: Thursday, March 28, 2019 12:05 PM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
On 28/03/2019 11:17, Daniel Fett wrote:
> Hi all,
>
> I published the first version of the DPoP draft at
> https://tools.ietf.org/html/draft-fett-oauth-dpop-00
>
> Abstract
>
> This document defines a sender-constraint mechanism for OAuth 2.0
> access tokens and refresh tokens utilizing an application-level
> proof-of-possession mechanism based on public/private key pairs.
>
>
> Thanks for the feedback I received so far from John, Mike, Torsten,
> and others during today's session or before!
>
> If you find any errors I would welcome if you open an issue in the
> GitHub repository at https://github.com/webhamster/draft-dpop
>
> - Daniel
>
>
A quick nit:
in figure 3 you seem to be using the "jwk" claim to include the pop-key in the
token. Any reason for not using the "cnf" claim from RFC 7800?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
