On Tue, Apr 07, 2020 at 03:31:09PM -0600, Brian Campbell wrote: > One of the primary motivations for the proof-of-possession mechanism of > DPoP being at the application layer was to hopefully enable implementation > and deployment by regular application developers. A lesson learned from the > difficulties and lack of adoption around Token Binding was that access to > TLS exporters is non-existent or prohibitively cumbersome in many > development environments. Browsers, for example, don't expose any such API > to javascript. And that's a non-starter here. > > Are there other practical ways to include a server contribution that have > been overlooked?
the main thing that comes to mind is (basically) an explicti nonce, which costs an extra round trip unless you get clever. In particular, "get clever" can be something that amortizes a single extra round trip across *all* interactions with that server, akin to how ACME requires a fresh nonce (and signature) for each request (RFC 8555). -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
