George, > I don't see them the same at all. With MTLS, the token is bound to the > transport layer (and the key used to establish that encrypted connection). > With DPOP, the token is bound to the private key known to the client.
Strictly speaking both solutions tie the token to the public key and the client needs to demonstrate possession of the private key through some security protocol. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth