Good observation, Ludwig. We should do that. -- Mike
-----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of Ludwig Seitz Sent: Thursday, March 28, 2019 12:05 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00 On 28/03/2019 11:17, Daniel Fett wrote: > Hi all, > > I published the first version of the DPoP draft at > https://tools.ietf.org/html/draft-fett-oauth-dpop-00 > > Abstract > > This document defines a sender-constraint mechanism for OAuth 2.0 > access tokens and refresh tokens utilizing an application-level > proof-of-possession mechanism based on public/private key pairs. > > > Thanks for the feedback I received so far from John, Mike, Torsten, > and others during today's session or before! > > If you find any errors I would welcome if you open an issue in the > GitHub repository at https://github.com/webhamster/draft-dpop > > - Daniel > > A quick nit: in figure 3 you seem to be using the "jwk" claim to include the pop-key in the token. Any reason for not using the "cnf" claim from RFC 7800? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth