yaronf
commented
3 days ago Interesting, but if we accept an extra round we can do much more than provide a nonce. We can replace the asymmetric digital signature by an initial handshake to establish a shared secret, followed by symmetric MAC for all other HTTP exchanges. The "hidden" cost is quite a bit of complexity.
Commenting as identity enthusiast as opposed to WIMSE co-chair
DPoP includes a mechanism that allows verifiers to specify a nonce that should be used in the next proof. It achieves this by returning a nonce as part of the response to a request (either as an error or as part of the HTPP 200 response). It adds an extra call, but is efficient after that with a fresh nonce provided in each response. Although including these nonces may preclude pre-computation and re-use of proofs, it may be required for high assurance applications and may be made optional, similar to how this mechanism was made options for DPoP.