One of the primary motivations for the proof-of-possession mechanism of DPoP being at the application layer was to hopefully enable implementation and deployment by regular application developers. A lesson learned from the difficulties and lack of adoption around Token Binding was that access to TLS exporters is non-existent or prohibitively cumbersome in many development environments. Browsers, for example, don't expose any such API to javascript. And that's a non-starter here.
Are there other practical ways to include a server contribution that have been overlooked? On Mon, Apr 6, 2020 at 9:54 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > There should be plenty of ways to include a server contribution into the > DPoP proof (e.g., a TLS exporter value). > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
