Aspects of this were previously discussed, on and off list. According to section 2.3, clients registering for public key bound mTLS auth must register their public keys as JWKs, or client X.509 certificate (as x5c parameter in RSA and EC JWK).
In the latter case, are there any security implications if there is mismatch between the registered x5c and the top-level public key JWK parameters? Should the AS perform some sanity checks on the JWK parameters? A client could for instance register a JWK where the top-level JWK public key doesn't match the public key in the x5c (as key type, or public key value). Thanks, Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
