Hi, 

mTLS is dead simple to use, secure, is used and can be used on a broad basis 
(in contrast to the token binding stuff). I also like the fact it provides both 
client authentication and sender-constraining.

We started the work on DPoP for the simple reason that SPAs don’t work well 
with mTLS and we want to provide a solution with somehow limited capabilities, 
e.g. regarding replay protection (see DPoP introduction). 

If someone asks me for the default solution, it’s simple: use mTLS. And if you 
build a SPA and want to do really security sensitive things, implement your 
OAuth stuff and the RS interactions in the backend of your application. 

DPoP is in a really early stage, let’s see where it will go.

best regards,
Torsten. 

> On 7. May 2019, at 10:25, Hannes Tschofenig <hannes.tschofe...@arm.com> wrote:
> 
> Hi all,
>  
> In the OAuth conference call today Vittorio mentioned that some folks are 
> wondering whether DPOP is essentially a superset of MTLS and whether it makes 
> sense to only proceed with one solution rather potentially two.
>  
> I was wondering whether others in the group have a few about this aspect?
>  
> Ciao
> Hannes
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are 
> confidential and may also be privileged. If you are not the intended 
> recipient, please notify the sender immediately and do not disclose the 
> contents to any other person, use it for any purpose, or store or copy the 
> information in any medium. Thank you. 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to