You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Commenting as identity enthusiast as opposed to WIMSE co-chair
DPoP includes a mechanism that allows verifiers to specify a nonce that should be used in the next proof. It achieves this by returning a nonce as part of the response to a request (either as an error or as part of the HTPP 200 response). It adds an extra call, but is efficient after that with a fresh nonce provided in each response. Although including these nonces may preclude pre-computation and re-use of proofs, it may be required for high assurance applications and may be made optional, similar to how this mechanism was made options for DPoP.
The text was updated successfully, but these errors were encountered:
PieterKas
changed the title
Freshness proofs
Freshness of Workload Proof Tokens
Jul 4, 2024
Interesting, but if we accept an extra round we can do much more than provide a nonce. We can replace the asymmetric digital signature by an initial handshake to establish a shared secret, followed by symmetric MAC for all other HTTP exchanges. The "hidden" cost is quite a bit of complexity.
Challenge response would limit the use cases to synchronous calls. Asynchronous deployments such as message brokers would not be able to implement this.
Commenting as identity enthusiast as opposed to WIMSE co-chair
DPoP includes a mechanism that allows verifiers to specify a nonce that should be used in the next proof. It achieves this by returning a nonce as part of the response to a request (either as an error or as part of the HTPP 200 response). It adds an extra call, but is efficient after that with a fresh nonce provided in each response. Although including these nonces may preclude pre-computation and re-use of proofs, it may be required for high assurance applications and may be made optional, similar to how this mechanism was made options for DPoP.
The text was updated successfully, but these errors were encountered: