* To avoid the misconfiguration issue Neil raised, you probably need both: a client-cert and a signature over the certificate being forwarded,
I am not so sure. One can argue that transport-level identity should be secured by transport-level. But installing a client certificate on a reverse proxy can be difficult. (Not if the reverse proxy is a CDN, of course :) And I don’t see how having both prevents misconfiguration, but that might be my fault. * This could still be achieve by extending RFC7239 with new parameter(s). I have no opinion on this part of it.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
