> On May 7, 2019, at 8:12 AM, George Fletcher
> <gffletch=40aol....@dmarc.ietf.org> wrote:
>
> To compromise an MTLS bound token the attacker has to compromise the private
> key. To compromise a DPOP bound token, depending on what HTTP request
> elements are signed, and whether the DPOP is managed as one-time-use etc,
> there are additional attacks. (Ducks head and waits for all the real security
> experts to prove me wrong:)
Both should wind up supporting either longer-term, issued keys or ephemeral
keys - and either exportable or not.
Off the top of my head, if your application is compromised I can’t think of a
difference in the kinds of abuse that could be performed with equivalent
policies and key protections.
-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth