Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workload Proof Token Binding to transport #40

Open
PieterKas opened this issue Jul 4, 2024 · 5 comments
Open

Workload Proof Token Binding to transport #40

PieterKas opened this issue Jul 4, 2024 · 5 comments

Comments

@PieterKas
Copy link

PieterKas commented Jul 4, 2024

Commenting as identity enthusiast as opposed to WIMSE co-chair

DPoP allows for inclusion of claims about the HTTP Method and URI of the recipient to avoid spurious re-use or re-purposing of the proof. Is this achieved through the aud claim, or do we need additional provisions/extensions for this in the Workload Proof Token.

@bc-pi
Copy link
Collaborator

bc-pi commented Jul 11, 2024

It is currently (in -00) achieved partially though the aud claim, which is basically equivalent to DPoP's htu claim. In the first draft of this one, I opted for simplicity, minimalism, and the use of existing original RFC7519 defined claims where it was possible and seemed to make sense.

@yaronf
Copy link
Collaborator

yaronf commented Sep 20, 2024

@bc-pi So why not add the htm (HTTP method) claim with the same syntax as in RFC 9449?

@bc-pi
Copy link
Collaborator

bc-pi commented Sep 25, 2024

I opted for simplicity, minimalism, and the use of existing original RFC7519 defined claims where it was possible and seemed to make sense

@yaronf
Copy link
Collaborator

yaronf commented Sep 25, 2024

I imagine the same lofty goals applied to the original DPoP, and yet htm found its way in - because it's so critical to the semantics of the message.

@bc-pi
Copy link
Collaborator

bc-pi commented Sep 25, 2024

It was much more haphazard, if I recall correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants