Am 07.05.19 um 16:12 schrieb George Fletcher: > I don't see them the same at all. With MTLS, the token is bound to the > transport layer (and the key used to establish that encrypted > connection). With DPOP, the token is bound to the private key known to > the client.
They are certainly not the same, and as you wrote further below, MTLS is more secure. I also wouldn't call one of them the superset of the other one. That said, they are similar in their functionality. One could, in theory, use MTLS on the token endpoint and DPoP for the resource access and vice-versa. We could specify both, MTLS and DPoP in a single document. But I am not sure what the added value of that would be. Pending good arguments for a merge I would propose to continue the work on both, MTLS and DPoP. They both have their merits. - Daniel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
