On Fri, May 01, 2020 at 02:29:02AM +0000, Mike Jones wrote: > * Is the DPoP signature really needed when requesting a bound token? It > seems like the worst that could happen would be to create a token bound to a > key you don't control, which you couldn't use. Daniel expressed concern > about this enabling substitution attacks.
Substitution and confused deputy attacks, yes. I would feel a lot better if the signature is required when requesting the bound token; a fair bit of extra analysis would be needed to try to remove it. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth