Except that the jwk header is more appropriate in the given context https://tools.ietf.org/html/rfc7515#section-4.1.3 - it is the public key that corresponds to the key used to digitally sign the JWS. Which is what it is.
On Thu, Mar 28, 2019, 6:32 AM Mike Jones <Michael.Jones= 40microsoft....@dmarc.ietf.org> wrote: > Good observation, Ludwig. We should do that. > > -- Mike > > -----Original Message----- > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Ludwig Seitz > Sent: Thursday, March 28, 2019 12:05 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00 > > On 28/03/2019 11:17, Daniel Fett wrote: > > Hi all, > > > > I published the first version of the DPoP draft at > > https://tools.ietf.org/html/draft-fett-oauth-dpop-00 > > > > Abstract > > > > This document defines a sender-constraint mechanism for OAuth 2.0 > > access tokens and refresh tokens utilizing an application-level > > proof-of-possession mechanism based on public/private key pairs. > > > > > > Thanks for the feedback I received so far from John, Mike, Torsten, > > and others during today's session or before! > > > > If you find any errors I would welcome if you open an issue in the > > GitHub repository at https://github.com/webhamster/draft-dpop > > > > - Daniel > > > > > > A quick nit: > > in figure 3 you seem to be using the "jwk" claim to include the pop-key in > the token. Any reason for not using the "cnf" claim from RFC 7800? > > /Ludwig > > > -- > Ludwig Seitz, PhD > Security Lab, RISE > Phone +46(0)70-349 92 51 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth