Re: [OAUTH-WG] draft-fett-oauth-dpop-00

[Simon Moffatt <simon.moffatt@forgerock.com>]

Hi Daniel

I couldn't see on the thread if this has already been discussed, so
apologies if it has, but is there any value in checking the PoP JWT
freshness?  Eg validating an *iat* claim  - probably more likely on the RS?

Eg I see the *jti* claim is useful for replay protection (assuming
storage of that on the AS/RS side) do you think it might be good to also
to know how fresh the token is? 

I guess this falls under
https://tools.ietf.org/html/draft-fett-oauth-dpop-01#section-6

Regards

Simon.


On 28/03/2019 10:17, Daniel Fett wrote:
>
> Hi all,
>
> I published the first version of the DPoP draft at
> https://tools.ietf.org/html/draft-fett-oauth-dpop-00
>
> Abstract
>
>    This document defines a sender-constraint mechanism for OAuth 2.0
>    access tokens and refresh tokens utilizing an application-level
>    proof-of-possession mechanism based on public/private key pairs.
>
> Thanks for the feedback I received so far from John, Mike, Torsten,
> and others during today's session or before!
>
> If you find any errors I would welcome if you open an issue in the
> GitHub repository at https://github.com/webhamster/draft-dpop
>
> - Daniel   
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
-- 
ForgeRock <https://www.forgerock.com/> 	*Simon Moffatt* CISSP, CEH
Technical Director - IAM Core | Product Management | ForgeRock
*t* (44) 7903 347 240  |  *e* simon.moffatt@forgerock.com
<mailto:simon.moffatt@forgerock.com>
*twitter* @simonmoffatt  |  *web* www.forgerock.com
<https://www.forgerock.com/>



NOTICE: This message, including any attachments, may contain
confidential information. If you are not the intended recipient, please
advise the sender immediately and destroy all copies of this message and
any attachments. ForgeRock Ltd may monitor email traffic data and also
the content of email transmitted over its network for security purposes.
No employee or agent is authorized to conclude any binding agreement on
behalf of ForgeRock Ltd by means of e-mail communication. ForgeRock Ltd
is a limited company registered in England and Wales; its registered
address is 60 Queen Square, Bristol, BS1 4JZ; and its registration
number is 7227664.



Nashville 2018 <https://www.forgerock.com/identity-live/nashville>