Open OR13 opened 2 months ago
OR13
commented
2 months ago There is also https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ which is worth considering.
The Concealed HTTP authentication scheme allows a client to authenticate to an origin server while guaranteeing freshness and without the need for the server to transmit a nonce to the client.
bc-pi
commented
2 months ago There is also https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ which is worth considering.
The Concealed HTTP authentication scheme allows a client to authenticate to an origin server while guaranteeing freshness and without the need for the server to transmit a nonce to the client.
A TLS keying material exporter is pretty much just a nonce from a different layer.
There was discussion of the nonce endpoint here: https://github.com/openid/OpenID4VCI/pull/381/files#r1752363400
Coauthors and myself worked on a draft presented to IETF OAuth WG on making a generic building block for this:
https://github.com/peppelinux/draft-demarco-oauth-nonce-endpoint
RATs, and protocols not part of OIDCVCI could benefit from an aligned approach.
If there is a chance to pull out enough of this API into a generic document that other systems could build on... that is worth exploring.