Hi all, I refreshed the PoP key distribution document. No changes to the content of the document.
The document contains two questions, namely QUESTION: A benefit of asymmetric cryptography is to allow clients to request a PoP token for use with multiple resource servers. The downside of that approach is linkability since different resource servers will be able to link individual requests to the same client. (The same is true if the a single public key is linked with PoP tokens used with different resource servers.) Nevertheless, to support the functionality the audience parameter could carry an array of values. Is this desirable? Hannes: My view is that we do not want to introduce likability into OAuth via the use of these keys. As such, different keys for different origins. QUESTION: Should we register the token_type and alg parameters for use with the dynamic client registration protocol? Hannes: I believe we should register these two parameters into the dynamic client registration protocol since that allows us to configure the values for the client rather than exchanging them with every message. Feedback appreciated before the submission deadline. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
