> On 6 Nov 2020, at 22:02, Brian Campbell wrote:
>
>
>
>
>> On Tue, May 5, 2020 at 2:52 PM Brian Campbell
>> wrote:
>>
>>>
>>> 9.1:
>>> This would be a good place to mention BREACH as an example of how a DPoP
>>> proof (and AT) might leak, despite only being sent over a direct HTTPS
>
On Tue, May 5, 2020 at 2:52 PM Brian Campbell
wrote:
>
>
>> 9.1:
>> This would be a good place to mention BREACH as an example of how a DPoP
>> proof (and AT) might leak, despite only being sent over a direct HTTPS
>> channel. Note though that adding a random jti is an effective defence
>> agains
Thanks Neil. I do appreciate your review and feedback (even if it takes me
a nontrivial amount of time to reply). I've attempted to respond to things
inline below.
On Mon, May 4, 2020 at 5:51 AM Neil Madden
wrote:
> Some review comments:
>
> Section 1:
> I think terms like “relatively simple” a
Some review comments:
Section 1:
I think terms like “relatively simple” are subjective and should be left out. I
don’t think the machinery of JWS signature verification (and associated
security issues) is necessarily simple at all.
“stronger methods … such as [RFC8705] or [token binding]”
I wou
