I would suggest that the security considerations section of
draft-ietf-oauth-mtls-12 be expanded to include the privacy
implications of using this on versions of TLS before 1.3. On all
versions of TLS before 1.3, the client cert is not encrypted and can
be used by third parties to monitor and trac
JWT defines a number of standard claims that are used in this application,
including "iss" (issuer), "aud" (audience), etc. Making the requests a JWT
allows code reuse, rather than having an application-specific signed request
representation that has many of the semantics and fields of a JWT an
As part of looking at the issues of using CWTs for this purpose I did some
more reading of the document. I am having a problem with the understanding
the reasons for using JWT as opposed to just saying that you are going to
use JWS and JWE. There is nothing in this section that I can see that
poi
