Hi All,
I think those are valid points, but they can be better addressed on
identity management forums like idsa or idpro.
https://www.idsalliance.org/
https://idpro.org/
On Mon, Aug 9, 2021 at 5:55 PM Warren Parad wrote:
> I definitely see that there is room for a potential attack depending
Hi Ash,
my understanding of a errata is when there is something technically wrong
with the document.
Your point is clear: requiring the client id on the revocation endpoint for
public clients does not protect the endpoint is valid.
You might say that is a point less to require it and might cause p
"This draft is actually significantly simpler than DPoP precisely because
it is not defining an HTTP signing mechanism. "
that is my understanding as well, but I was afraid to start a flame war :D
On Fri, Oct 8, 2021 at 4:23 PM Justin Richer wrote:
> Hi Mike,
>
> One of the major benefits of thi
I guess it is fair to say that when we are talking about credentialed
clients, we are targeting native apps that after getting installed use a
ceremony (probably using Dynamic client registration) to establish a
credential for that specific instance on AS. Do you foresee other use cases?
Back to Da
